Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems. http://www.secadministrator.com
SPONSOR: GOT SECURITY CHALLENGES? COME SEE SOLUTIONS.
What is Microsoft really doing to improve the security in their products? What are your responsibilities vs. Microsoft’s for security? How can you quickly locate and eliminate security vulnerabilities? Why were some companies protected from Nimda and Code Red when others were not? How can you become proactive, rather than reactive with security issues? Find out the answers to these and other questions at one of more than 15 free, half-day seminars co-sponsored by Microsoft and BindView Corporation, "Proactive Security Management for the Microsoft Enterprise." To find a location near you and to register, go to http://www.bindview.com/MSseminar6
July 24, 2002—In this issue:
1. IN FOCUS
Security Statistics Abound: What Do They Tell Us?
2. SECURITY RISKS
Remote PGP Outlook Encryption Plug-in Vulnerability
Buffer Overrun in Symantec Norton Personal Security Firewall
3. ANNOUNCEMENTS
Energize Your Enterprise at MEC 2002, October 8 Through 11, Anaheim, CA
Real-World Tips and Solutions Here for You
4. SECURITY ROUNDUP
News: New Win2K Pro Security Benchmarks
News: Internet Security Threat Report, Volume II
Feature: * #@$&% SECURITY
Feature: WMP EULA and DRM System Security
5. INSTANT POLL
Results of Previous Poll: Credit Card Information Theft
New Instant Poll: Security Budget
6. SECURITY TOOLKIT
Virus Center
Virus Alert: W32/Dadinu
Virus Alert: W32/Calil
Virus Alert: W32/Frethem.K
FAQ: How Can I Remove the Link Between Outlook 2002 and MSN Messenger?
7. NEW AND IMPROVED
Learn about Web Security, Privacy, and Commerce
Restrict File and Folder Access
Submit Top Product Ideas
8. HOT THREADS
Windows & .NET Magazine Online Forums
Featured Thread: Can DHCP Authenticate a Workstation Before Issuing an IP Address?
HowTo Mailing List:
Featured Thread: Event ID 1000 and Event ID 1202 in Win2K DCs
9. CONTACT US
See this section for a list of ways to contact us.
1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, mark@ntsecurity.net)
SECURITY STATISTICS ABOUND: WHAT DO THEY TELL US?
Are you ready for more security statistics? Newly published information indicates that Linux systems suffered an increasing number of attacks in the first half of 2002, compared with 2001. According to London company mi2g, Linux systems have suffered 7630 attacks so far in 2002, not including viruses and worms. During all of 2001, Linux systems suffered only 5736 attacks. The company said the attacks are largely because of third-party applications with vulnerabilities that administrators don't patch quickly enough.
On the other hand, attacks against Microsoft IIS systems have diminished. According to mi2g, attackers launched 9404 attacks against IIS systems in the first half of 2002, compared with 11,828 attacks in the first half of 2001.
Overall, however, the number of attacks against all systems rose 27 percent over last year. In the first half of 2001, organizations reported 16,007 attacks; so far this year, organizations have reported 20,371 attacks.
Government online systems are experiencing fewer attacks. Fifty-four US government systems reported attacks so far this year, compared with 204 such attacks in the first half of 2001. In the UK, only 12 government systems reported attacks this year, compared with 38 attacks in the first half of 2001. According to mi2g, the US Cyber Security Enhancement Act (CSEA) has probably helped reduce the number of attacks against government systems because the act permits much stiffer penalties for cybercrime. http://www.mi2g.com/cgi/mi2g/press/110702.php
The recently published Computer Emergency Response Team (CERT) statistics reflect an increase in the number of vulnerabilities reported this year. According to CERT, organizations have reported 2148 vulnerabilities so far this year, compared with 2437 reported vulnerabilities in 2001 and 1090 reported in 2000. http://www.cert.org/stats/cert_stats.html
The Computer Security Institute (CSI) released statistics in April 2002 that CSI gathered in conjunction with the Federal Bureau of Investigation (FBI). CSI polled 503 security practitioners; 80 percent of those polled reported financial losses because of system breaches. Forty-four percent (223 entities) were willing to quantify their losses, which totaled about $455,848,000. http://www.gocsi.com/press/20020407.html
Riptech, a Virginia-based security services firm, recently released an interesting set of statistics. Riptech gathered log information from 400 companies in more than 30 countries and confirmed that more than 180,000 attacks took place in the first half of 2002. The report shows that 80 percent of all attacks originate from 10 countries, including the United States, Germany, South Korea, China, France, Canada, Italy, Taiwan, the UK, and Japan. You can read more about Riptech's report in the related news story in the Security Roundup section of this newsletter. http://www.secadministrator.com/articles/index.cfm?articleid=25897
With the exception of a few bright spots, the unsurprising news is that attacks are increasing. Some of the increase might be a function of a trend feeding on itself. For example, more organizations and individuals discover and report more vulnerabilities in some detail. Then, unscrupulous individuals use the details to perpetrate additional attacks. Also, each reported vulnerability—if left unpatched for too long—lets intruders attack an increasing number of systems. Because intruders use search-engine tactics to identify many vulnerable Web servers, the numbers can soar higher.
Given the current climate, patch your systems quickly. And take a moment to answer today's Instant Poll question about the security resources you need to keep your organization from becoming a negative security statistic.
SPONSOR: FREE WHITE PAPER: CONTENT FILTERING STRATEGIES
Defeat cyber-threats. Avoid false alarms. Filter out the most dangerous file extensions. Block undesirable material from entering your company. Check out Panda Software's new white paper and discover how to protect your company against a whole range of threats - from rampant malware to email-transmitted viruses. All of this crucial information is offered to you completely FREE of charge. CLICK the following URL to DOWNLOAD now: http://www.pandasecurity.com/new/enewsletter/form-4021.html
2. SECURITY RISKS (contributed by Ken Pfeil, ken@winnetmag.com)
Remote PGP Outlook Encryption Plug-in Vulnerability
Marc Maiffret and Riley Hassell of eEye Digital Security discovered a vulnerability in Network Associates' (NAI's) pretty good privacy (PGP) Outlook Encryption plugin. The vulnerability can result in remote compromise of the vulnerable system. By sending a specially crafted email to a vulnerable system, an attacker can execute code remotely on that system. Read eEye Digital Security's advisory for a detailed explanation of this vulnerability. NAI has released a patch for the latest version of the PGP Outlook plugin to address this vulnerability.
http://www.secadministrator.com/articles/index.cfm?articleid=25875
Buffer Overrun in SYMANTEC Norton Personal Security Firewall
Ollie Whitehouse of @stake discovered a buffer-overflow vulnerability in Symantec's Norton Personal Firewall that an attacker can exploit to execute code on the vulnerable system. An intruder can exploit this vulnerability even if the requesting application isn't configured in the firewall permission settings to make outgoing requests. See the @stake advisory for a detailed technical explanation. The vendor, Symantec, has released an advisory regarding this vulnerability and recommends that affected users download the patch from the advisory URL when the patch becomes available.
http://www.secadministrator.com/articles/index.cfm?articleid=25895
3. ANNOUNCEMENTS (brought to you by Windows & .NET Magazine and its partners)
ENERGIZE YOUR ENTERPRISE AT MEC 2002, OCTOBER 8 THROUGH 11, ANAHEIM, CA
Don't miss the essential Microsoft infrastructure conference where you'll connect with a world of expert information, technical training sessions, best practices, and hands-on labs. Be among the first 1000 to register and receive a free MEC 2002 DVD valued at $695—plus save $300!
http://www.microsoft.com/corpevents/mec2002
REAL-WORLD TIPS AND SOLUTIONS HERE FOR YOU
Windows & .NET Magazine LIVE!'s full-conference schedule is now online. Don't miss this chance to network with the finest gathering of Windows gurus on the planet. This conference is chock full of "been there, done that" knowledge from people who use Microsoft products in the real world. Register now and access concurrently run XML Web Services Connections for FREE.
http://events.pentontech.com/windows/register.asp
4. SECURITY ROUNDUP
NEWS: New Win2K Pro Security Benchmarks
On July 17, the Center for Internet Security (CIS) released new security benchmarking tools for Windows 2000 Professional. The new benchmarking set consists of a scoring tool along with security templates that you can use to analyze and adjust system security settings.
http://www.secadministrator.com/articles/index.cfm?articleid=25949
NEWS: Internet Security Threat Report, Volume II
Riptech released Volume II of its Internet Security Threat Report, which shows that Internet attacks grew at an annualized rate of 64 percent during the period between January 2002 and June 2002. The report is based on data mining and analysis of more than 11 billion firewall logs and Intrusion Detection System (IDS) alerts from more than 400 companies in more than 30 countries around the world.
http://www.secadministrator.com/articles/index.cfm?articleid=25897
FEATURE: *#@$&% SECURITY
As you know, securing your networks requires vigilance and a lot of work. However, you ignore security at your peril, risking your job and possibly your company's entire future. But when you adopt the right mind-set, security tasks aren't so bad. What's important is to address security problems before it's too late.
http://www.secadministrator.com/articles/index.cfm?articleid=25928
FEATURE: WMP EULA and DRM SYSTEM SECURITY
On June 27, 2002, Microsoft posted a security update to the Windows Media Player (WMP). That update included an End User Licensing Agreement (EULA) covering, among other things, the Digital Rights Management (DRM) system.
http://www.secadministrator.com/articles/index.cfm?articleid=25910
5. INSTANT POLL
RESULTS OF PREVIOUS POLL: CREDIT CARD INFORMATION THEFT
The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Have you or has your company experienced credit card information theft through the Internet?" Here are the results (+/- 2 percent) from the 197 votes:
23% I have experienced Internet credit card information theft
5% My company has experienced Internet credit card information theft
1% Both have experienced Internet credit card information theft
71% Neither has experienced Internet credit card information theft
NEW INSTANT POLL: SECURITY BUDGET
The next Instant Poll question is, "Is your current level of network security a function of budget constraints?" Go to the Security Administrator Channel home page and submit your vote for a) Yes—We need more security staff, b) Yes—We need additional security tools, c) Yes—We need additional staff and tools, d) No—We budget for adequate network security, or e) No—We "spare no expense" for network security.
http://www.secadministrator.com
6. SECURITY TOOLKIT
VIRUS CENTER
Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
http://www.secadministrator.com/panda
VIRUS ALERT: W32/Dadinu
W32/Dadinu is a worm that spreads by sending itself to every address in the Microsoft Messenger Address Book. The worm creates a large number of files on infected computers. The files are copies of the worm.
http://63.88.172.127/panda/index.cfm?fuseaction=virus&virusid=1183
W32/Frethem.K is a worm that spreads through email with a subject that reads "Re: Your password!." This message contains a file attachment called "decrypt-password.exe file." The worm exploits a vulnerability in Microsoft Internet Explorer (IE) 5.5 and IE 5.01 that lets files attached to an email message run automatically simply by viewing the message.
http://63.88.172.127/panda/index.cfm?fuseaction=virus&virusid=1187
FAQ: How can I remove the link between Outlook 2002 and MSN Messenger?
(
contributed by John Savill, http://www.windows2000faq.com )
A. By default, Microsoft Outlook 2002 and MSN Messenger are linked. If both applications are running and you attempt to close MSN Messenger, the following error appears on the screen:
"There are other applications currently using features provided by Windows Messenger. You must close these other applications before you can exit Windows Messenger. These applications may include Outlook, Outlook Express, MSN Explorer, and Internet Explorer."
To remove the link between Outlook 2002 and MSN Messenger, perform the following steps:
Start Outlook.
From the Tools menu, select Options.
Select the Other tab.
Clear the "Enable Instant Messaging in Microsoft Outlook" check box in the Instant Messaging section, then click OK.
Close and restart Outlook for the change to take effect.
7. NEW AND IMPROVED
(contributed by Judy Drennen, products@winnetmag.com)
LEARN ABOUT WEB SECURITY, PRIVACY, AND COMMERCE
O'Reilly & Associates released "Web Security, Privacy & Commerce," a book by Simson Garfinkel and Gene Spafford that provides a reference on Web security risks and the techniques and technologies that you can use to protect yourself against these risks. Topics include cryptography, passwords, digital signatures, biometrics, cookies, log files, spam, Web logs, the Secure Sockets Layer (SSL), digital payments, client-side signatures, pornography filtering, intellectual property, and legal issues. The 756-page book costs $44.95. Contact O'Reilly at 800-998-9938.
http://www.oreilly.com
RESTRICT FILE AND FOLDER ACCESS
CenturionSoft and SoftClan released SoftClan Security Suite, a security and auditing program that can provide Windows Me and Windows 9x systems with protection levels similar to Windows NT on NTFS. You can administer the software by using a transparent monitoring process that doesn't affect system performance. The software restricts file and folder access to protect a system from intruders, accidents, and viruses. The software controls and audits PC use for each user, which is important for PCs that have multiple users. SoftClan Security Suite costs $39.95. Contact CenturionSoft or SoftClan at 202-293-5151.
http://www.centurionsoft.com
SUBMIT TOP PRODUCT IDEAS
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshot@winnetmag.com.
Featured Thread: Can DHCP Authenticate a Workstation Before Issuing an IP Address?
(One message in this thread)
Rich writes that he'll be migrating to a Windows 2000 DHCP server soon. He has a requirement that nonauthorized machines not be allowed on the network. Right now, Rich registers valid media access control (MAC) addresses through DHCP to prevent nonauthorized machines on the network, but performing this task is an administrative nightmare. Rich wants to know whether DHCP performs some other type of machine/user authentication before it issues an IP address so that if the authentication fails, the machine doesn't receive an address on the network. Do you know of any other solution to keep nonauthorized machines off a network? Read the responses or lend a hand: http://www.secadministrator.com/forums/thread.cfm?thread_id=109634
Featured Thread: Event ID 1000 and Event ID 1202 in Win2K DCs
(One message in this thread)
Eric recently had to take down the root server in his domain forest to reinstall the OS. Because he was running a second domain controller (DC) in the domain, the second controller took over as the root of the forest. He repaired the original domain root and put it back on the network as a DC. However, Eric now keeps receiving Event ID 1000 and Event ID 1202 error messages in the Application log every 5 minutes. He has reapplied the group policy link for the Domain Controller OU, but the error messages still appear. How can he resolve this problem? Read the responses or lend a hand at the following URL: http://63.88.172.96/listserv/page_listserv.asp?a2=ind0207c&l=howto&p=738
9. CONTACT US
Here's how to reach us with your comments and questions:
ABOUT IN FOCUS — mark@ntsecurity.net
ABOUT THE NEWSLETTER IN GENERAL — vpatterson@winnetmag.com
(please mention the newsletter name in the subject line)
QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support — securityupdate@winnetmag.com
WANT TO SPONSOR SECURITY UPDATE? emedia_opps@winnetmag.com
This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.net/email
