Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com


THIS ISSUE SPONSORED BY

Got security challenges? Come see solutions.
http://www.bindview.com/MSseminar6

Free White Paper: Content Filtering Strategies
http://www.pandasecurity.com/new/enewsletter/form-4021.html
(below IN FOCUS)


SPONSOR: GOT SECURITY CHALLENGES? COME SEE SOLUTIONS.

What is Microsoft really doing to improve the security in their products? What are your responsibilities vs. Microsoft’s for security? How can you quickly locate and eliminate security vulnerabilities? Why were some companies protected from Nimda and Code Red when others were not? How can you become proactive, rather than reactive with security issues? Find out the answers to these and other questions at one of more than 15 free, half-day seminars co-sponsored by Microsoft and BindView Corporation, "Proactive Security Management for the Microsoft Enterprise." To find a location near you and to register, go to
http://www.bindview.com/MSseminar6


July 24, 2002—In this issue:

1. IN FOCUS

  • Security Statistics Abound: What Do They Tell Us?

2. SECURITY RISKS

  • Remote PGP Outlook Encryption Plug-in Vulnerability
  • Buffer Overrun in Symantec Norton Personal Security Firewall

3. ANNOUNCEMENTS

  • Energize Your Enterprise at MEC 2002, October 8 Through 11, Anaheim, CA
  • Real-World Tips and Solutions Here for You

4. SECURITY ROUNDUP

  • News: New Win2K Pro Security Benchmarks
  • News: Internet Security Threat Report, Volume II
  • Feature: * #@$&% SECURITY
  • Feature: WMP EULA and DRM System Security

5. INSTANT POLL

  • Results of Previous Poll: Credit Card Information Theft
  • New Instant Poll: Security Budget

6. SECURITY TOOLKIT

  • Virus Center
    • Virus Alert: W32/Dadinu
    • Virus Alert: W32/Calil
    • Virus Alert: W32/Frethem.K
  • FAQ: How Can I Remove the Link Between Outlook 2002 and MSN Messenger?

7. NEW AND IMPROVED

  • Learn about Web Security, Privacy, and Commerce
  • Restrict File and Folder Access
  • Submit Top Product Ideas

8. HOT THREADS

  • Windows & .NET Magazine Online Forums
    • Featured Thread: Can DHCP Authenticate a Workstation Before Issuing an IP Address?
  • HowTo Mailing List:
    • Featured Thread: Event ID 1000 and Event ID 1202 in Win2K DCs

9. CONTACT US

  • See this section for a list of ways to contact us.

1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, mark@ntsecurity.net)

  • SECURITY STATISTICS ABOUND: WHAT DO THEY TELL US?

  • Are you ready for more security statistics? Newly published information indicates that Linux systems suffered an increasing number of attacks in the first half of 2002, compared with 2001. According to London company mi2g, Linux systems have suffered 7630 attacks so far in 2002, not including viruses and worms. During all of 2001, Linux systems suffered only 5736 attacks. The company said the attacks are largely because of third-party applications with vulnerabilities that administrators don't patch quickly enough.

    On the other hand, attacks against Microsoft IIS systems have diminished. According to mi2g, attackers launched 9404 attacks against IIS systems in the first half of 2002, compared with 11,828 attacks in the first half of 2001.

    Overall, however, the number of attacks against all systems rose 27 percent over last year. In the first half of 2001, organizations reported 16,007 attacks; so far this year, organizations have reported 20,371 attacks.

    Government online systems are experiencing fewer attacks. Fifty-four US government systems reported attacks so far this year, compared with 204 such attacks in the first half of 2001. In the UK, only 12 government systems reported attacks this year, compared with 38 attacks in the first half of 2001. According to mi2g, the US Cyber Security Enhancement Act (CSEA) has probably helped reduce the number of attacks against government systems because the act permits much stiffer penalties for cybercrime.
    http://www.mi2g.com/cgi/mi2g/press/110702.php

    The recently published Computer Emergency Response Team (CERT) statistics reflect an increase in the number of vulnerabilities reported this year. According to CERT, organizations have reported 2148 vulnerabilities so far this year, compared with 2437 reported vulnerabilities in 2001 and 1090 reported in 2000.
    http://www.cert.org/stats/cert_stats.html

    The Computer Security Institute (CSI) released statistics in April 2002 that CSI gathered in conjunction with the Federal Bureau of Investigation (FBI). CSI polled 503 security practitioners; 80 percent of those polled reported financial losses because of system breaches. Forty-four percent (223 entities) were willing to quantify their losses, which totaled about $455,848,000.
    http://www.gocsi.com/press/20020407.html

    Riptech, a Virginia-based security services firm, recently released an interesting set of statistics. Riptech gathered log information from 400 companies in more than 30 countries and confirmed that more than 180,000 attacks took place in the first half of 2002. The report shows that 80 percent of all attacks originate from 10 countries, including the United States, Germany, South Korea, China, France, Canada, Italy, Taiwan, the UK, and Japan. You can read more about Riptech's report in the related news story in the Security Roundup section of this newsletter.
    http://www.secadministrator.com/articles/index.cfm?articleid=25897

    With the exception of a few bright spots, the unsurprising news is that attacks are increasing. Some of the increase might be a function of a trend feeding on itself. For example, more organizations and individuals discover and report more vulnerabilities in some detail. Then, unscrupulous individuals use the details to perpetrate additional attacks. Also, each reported vulnerability—if left unpatched for too long—lets intruders attack an increasing number of systems. Because intruders use search-engine tactics to identify many vulnerable Web servers, the numbers can soar higher.

    Given the current climate, patch your systems quickly. And take a moment to answer today's Instant Poll question about the security resources you need to keep your organization from becoming a negative security statistic.


    SPONSOR: FREE WHITE PAPER: CONTENT FILTERING STRATEGIES

    Defeat cyber-threats. Avoid false alarms. Filter out the most dangerous file extensions. Block undesirable material from entering your company. Check out Panda Software's new white paper and discover how to protect your company against a whole range of threats - from rampant malware to email-transmitted viruses. All of this crucial information is offered to you completely FREE of charge. CLICK the following URL to DOWNLOAD now:
    http://www.pandasecurity.com/new/enewsletter/form-4021.html


    2. SECURITY RISKS
    (contributed by Ken Pfeil, ken@winnetmag.com)

  • Remote PGP Outlook Encryption Plug-in Vulnerability

  • Marc Maiffret and Riley Hassell of eEye Digital Security discovered a vulnerability in Network Associates' (NAI's) pretty good privacy (PGP) Outlook Encryption plugin. The vulnerability can result in remote compromise of the vulnerable system. By sending a specially crafted email to a vulnerable system, an attacker can execute code remotely on that system. Read eEye Digital Security's advisory for a detailed explanation of this vulnerability. NAI has released a patch for the latest version of the PGP Outlook plugin to address this vulnerability. http://www.secadministrator.com/articles/index.cfm?articleid=25875

  • Buffer Overrun in SYMANTEC Norton Personal Security Firewall

  • Ollie Whitehouse of @stake discovered a buffer-overflow vulnerability in Symantec's Norton Personal Firewall that an attacker can exploit to execute code on the vulnerable system. An intruder can exploit this vulnerability even if the requesting application isn't configured in the firewall permission settings to make outgoing requests. See the @stake advisory for a detailed technical explanation. The vendor, Symantec, has released an advisory regarding this vulnerability and recommends that affected users download the patch from the advisory URL when the patch becomes available.
    http://www.secadministrator.com/articles/index.cfm?articleid=25895

    3. ANNOUNCEMENTS
    (brought to you by Windows & .NET Magazine and its partners)

  • ENERGIZE YOUR ENTERPRISE AT MEC 2002, OCTOBER 8 THROUGH 11, ANAHEIM, CA

  • Don't miss the essential Microsoft infrastructure conference where you'll connect with a world of expert information, technical training sessions, best practices, and hands-on labs. Be among the first 1000 to register and receive a free MEC 2002 DVD valued at $695—plus save $300!
    http://www.microsoft.com/corpevents/mec2002

  • REAL-WORLD TIPS AND SOLUTIONS HERE FOR YOU

  • Windows & .NET Magazine LIVE!'s full-conference schedule is now online. Don't miss this chance to network with the finest gathering of Windows gurus on the planet. This conference is chock full of "been there, done that" knowledge from people who use Microsoft products in the real world. Register now and access concurrently run XML Web Services Connections for FREE.
    http://events.pentontech.com/windows/register.asp

    4. SECURITY ROUNDUP

  • NEWS: New Win2K Pro Security Benchmarks

  • On July 17, the Center for Internet Security (CIS) released new security benchmarking tools for Windows 2000 Professional. The new benchmarking set consists of a scoring tool along with security templates that you can use to analyze and adjust system security settings.
    http://www.secadministrator.com/articles/index.cfm?articleid=25949

  • NEWS: Internet Security Threat Report, Volume II

  • Riptech released Volume II of its Internet Security Threat Report, which shows that Internet attacks grew at an annualized rate of 64 percent during the period between January 2002 and June 2002. The report is based on data mining and analysis of more than 11 billion firewall logs and Intrusion Detection System (IDS) alerts from more than 400 companies in more than 30 countries around the world.
    http://www.secadministrator.com/articles/index.cfm?articleid=25897

  • FEATURE: *#@$&% SECURITY

  • As you know, securing your networks requires vigilance and a lot of work. However, you ignore security at your peril, risking your job and possibly your company's entire future. But when you adopt the right mind-set, security tasks aren't so bad. What's important is to address security problems before it's too late.
    http://www.secadministrator.com/articles/index.cfm?articleid=25928

  • FEATURE: WMP EULA and DRM SYSTEM SECURITY

  • On June 27, 2002, Microsoft posted a security update to the Windows Media Player (WMP). That update included an End User Licensing Agreement (EULA) covering, among other things, the Digital Rights Management (DRM) system.
    http://www.secadministrator.com/articles/index.cfm?articleid=25910

    5. INSTANT POLL

  • RESULTS OF PREVIOUS POLL: CREDIT CARD INFORMATION THEFT

  • The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Have you or has your company experienced credit card information theft through the Internet?" Here are the results (+/- 2 percent) from the 197 votes:
    • 23% I have experienced Internet credit card information theft
    • 5% My company has experienced Internet credit card information theft
    • 1% Both have experienced Internet credit card information theft
    • 71% Neither has experienced Internet credit card information theft

  • NEW INSTANT POLL: SECURITY BUDGET

  • The next Instant Poll question is, "Is your current level of network security a function of budget constraints?" Go to the Security Administrator Channel home page and submit your vote for a) Yes—We need more security staff, b) Yes—We need additional security tools, c) Yes—We need additional staff and tools, d) No—We budget for adequate network security, or e) No—We "spare no expense" for network security.
    http://www.secadministrator.com

    6. SECURITY TOOLKIT

  • VIRUS CENTER

  • Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
    http://www.secadministrator.com/panda

  • VIRUS ALERT: W32/Dadinu

  • W32/Dadinu is a worm that spreads by sending itself to every address in the Microsoft Messenger Address Book. The worm creates a large number of files on infected computers. The files are copies of the worm.
    http://63.88.172.127/panda/index.cfm?fuseaction=virus&virusid=1183

  • VIRUS ALERT: W32/Calil

  • W32/Calil emails itself to every address in the Microsoft Outlook Address Book. The message containing the worm has a subject field that reads "FW:FW: LILAC project video attach."
    http://63.88.172.127/panda/index.cfm?fuseaction=virus&virusid=1185

  • VIRUS ALERT: W32/Frethem.K

  • W32/Frethem.K is a worm that spreads through email with a subject that reads "Re: Your password!." This message contains a file attachment called "decrypt-password.exe file." The worm exploits a vulnerability in Microsoft Internet Explorer (IE) 5.5 and IE 5.01 that lets files attached to an email message run automatically simply by viewing the message.
    http://63.88.172.127/panda/index.cfm?fuseaction=virus&virusid=1187

  • FAQ: How can I remove the link between Outlook 2002 and MSN Messenger?

  • ( contributed by John Savill, http://www.windows2000faq.com )

    A. By default, Microsoft Outlook 2002 and MSN Messenger are linked. If both applications are running and you attempt to close MSN Messenger, the following error appears on the screen:

    "There are other applications currently using features provided by Windows Messenger. You must close these other applications before you can exit Windows Messenger. These applications may include Outlook, Outlook Express, MSN Explorer, and Internet Explorer."

    To remove the link between Outlook 2002 and MSN Messenger, perform the following steps:

    1. Start Outlook.
    2. From the Tools menu, select Options.
    3. Select the Other tab.
    4. Clear the "Enable Instant Messaging in Microsoft Outlook" check box in the Instant Messaging section, then click OK.
    5. Close and restart Outlook for the change to take effect.

    7. NEW AND IMPROVED
    (contributed by Judy Drennen, products@winnetmag.com)

  • LEARN ABOUT WEB SECURITY, PRIVACY, AND COMMERCE

  • O'Reilly & Associates released "Web Security, Privacy & Commerce," a book by Simson Garfinkel and Gene Spafford that provides a reference on Web security risks and the techniques and technologies that you can use to protect yourself against these risks. Topics include cryptography, passwords, digital signatures, biometrics, cookies, log files, spam, Web logs, the Secure Sockets Layer (SSL), digital payments, client-side signatures, pornography filtering, intellectual property, and legal issues. The 756-page book costs $44.95. Contact O'Reilly at 800-998-9938.
    http://www.oreilly.com

  • RESTRICT FILE AND FOLDER ACCESS

  • CenturionSoft and SoftClan released SoftClan Security Suite, a security and auditing program that can provide Windows Me and Windows 9x systems with protection levels similar to Windows NT on NTFS. You can administer the software by using a transparent monitoring process that doesn't affect system performance. The software restricts file and folder access to protect a system from intruders, accidents, and viruses. The software controls and audits PC use for each user, which is important for PCs that have multiple users. SoftClan Security Suite costs $39.95. Contact CenturionSoft or SoftClan at 202-293-5151.
    http://www.centurionsoft.com

  • SUBMIT TOP PRODUCT IDEAS

  • Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshot@winnetmag.com.

    8. HOT THREADS

  • WINDOWS & .NET MAGAZINE ONLINE FORUMS

  • http://www.winnetmag.com/forums

  • Featured Thread: Can DHCP Authenticate a Workstation Before Issuing an IP Address?

  • (One message in this thread)

    Rich writes that he'll be migrating to a Windows 2000 DHCP server soon. He has a requirement that nonauthorized machines not be allowed on the network. Right now, Rich registers valid media access control (MAC) addresses through DHCP to prevent nonauthorized machines on the network, but performing this task is an administrative nightmare. Rich wants to know whether DHCP performs some other type of machine/user authentication before it issues an IP address so that if the authentication fails, the machine doesn't receive an address on the network. Do you know of any other solution to keep nonauthorized machines off a network? Read the responses or lend a hand:
    http://www.secadministrator.com/forums/thread.cfm?thread_id=109634

  • HOWTO MAILING LIST

  • http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

    Featured Thread: Event ID 1000 and Event ID 1202 in Win2K DCs
    (One message in this thread)

    Eric recently had to take down the root server in his domain forest to reinstall the OS. Because he was running a second domain controller (DC) in the domain, the second controller took over as the root of the forest. He repaired the original domain root and put it back on the network as a DC. However, Eric now keeps receiving Event ID 1000 and Event ID 1202 error messages in the Application log every 5 minutes. He has reapplied the group policy link for the Domain Controller OU, but the error messages still appear. How can he resolve this problem? Read the responses or lend a hand at the following URL:
    http://63.88.172.96/listserv/page_listserv.asp?a2=ind0207c&l=howto&p=738

    9. CONTACT US
    Here's how to reach us with your comments and questions:

    • ABOUT IN FOCUS — mark@ntsecurity.net
    • ABOUT THE NEWSLETTER IN GENERAL — vpatterson@winnetmag.com

    (please mention the newsletter name in the subject line)

    • TECHNICAL QUESTIONS — http://www.winnetmag.com/forums
    • PRODUCT NEWS — products@winnetmag.com
    • QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION?
      Customer Support — securityupdate@winnetmag.com
    • WANT TO SPONSOR SECURITY UPDATE?
      emedia_opps@winnetmag.com

    This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
    http://www.secadministrator.com/sub.cfm?code=saei25xxup

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email

    Thank you for reading Security UPDATE.