Windows & .NET Magazine Security UPDATE--June 25, 2003

===============

==== This Issue Sponsored By ====

Windows Scripting Solutions http://list.winnetmag.com/cgi-bin3/DM/y/eA0D8O6p0CCB0BAyk0Ay

==========

1. In Focus: Legalizing "Hacking Back": A Comedy of Errors

2. Security Risks - Cross-Site Scripting and Script-Injection Vulnerabilities in IE

3. Announcements - Attend the Black Hat Briefings & Training, July 28-31 in Las Vegas - New Active Directory Web Seminar!

4. Security Roundup - News: CERT Bulletin Leaked Early--Again - News: Microsoft Helps Improve Web Application Security - Feature: 3 Tiers for Your CA Hierarchy

5. Instant Poll - Results of Previous Poll: Certifications and Hiring - New Instant Poll: Fighting Software Piracy

6. Security Toolkit - Virus Center - FAQ: How Can I Enable Advanced File-System and Sharing Security for a Windows XP Machine in a Workgroup?

7. Event - Storage Road Show Event Archived! 8. New and Improved - Set Up Wireless and Wired Security with One Firewall - Submit Top Product Ideas

9. Hot Thread - Windows & .NET Magazine Online Forums - Featured Thread: Hardening the TCP/IP Stack

10. Contact Us See this section for a list of ways to contact us.

==========

==== Sponsor: Windows Scripting Solutions ==== http://list.winnetmag.com/cgi-bin3/DM/y/eA0D8O6p0CCB0BAyk0Ay Windows Scripting Solutions for the Systems Administrator You may not be a programmer, but that doesn't mean you can't learn to create and deploy timesaving, problem-solving scripts. Discover Windows Scripting Solutions, the monthly print publication that helps

you tackle common problems and automate everyday tasks with simple tools, tricks, and scripts. Try a sample issue today at: http://list.winnetmag.com/cgi-bin3/DM/y/eA0D8O6p0CCB0BAyk0Ay

==========

==== 1. In Focus: Legalizing "Hacking Back": A Comedy of Errors ==== by Mark Joseph Edwards, News Editor, mark@ntsecurity.net

You might have heard about the comments that US Senator Orrin Hatch of Utah made about fighting copyright piracy. In brief, Hatch advocates using Trojan horse technology to destroy the computers of people who are thought to have pirated copyrighted works more than twice.

Hatch's sentiments echo ideas that those with vested interests in the entertainment industry have voiced before. He believes that we might find better ways to stop piracy. However, if stopping piracy takes destroying computers through Trojan horse code, he's for it. I think that the vast majority of you will agree that Hatch's ideas go against the ideals of democratic society.

Such "hacking back," a form of vigilantism, involves several problems. First of all, catching and punishing criminals is work for law enforcement and judicial systems, not copyright holders. In addition, we currently have no way to determine from a remote location who's actually using a computer or how serial violations might occur.

For example, one person could use a public computer, perhaps at a library or Internet cafe, to download files. If that person inadvertently or unknowingly downloads copyrighted data that wasn't authorized for public distribution, that's one strike against that computer. A second person might later make the same error. Under the ideas that Hatch supports, if a third person downloads copyrighted data not authorized for public use, the injured entity could destroy that computer with a Trojan horse, which the entity would probably launch from a remote location. Meanwhile, the library or Internet cafe would suffer a significant loss for something it did not "do."

The idea makes little sense. I'm sure Hatch meant well in acknowledging software piracy as a serious problem; however, he doesn't seem to understand the underlying technical implications of this form of prevention. People have pointed out that destroying a computer used to download pirated material is akin to destroying the engine of a car because police caught the driver speeding in that car too often. The idea is to produce a financial loss in retaliation for a financial loss, but it amounts to punishing an inanimate technological object for the acts of its operators.

The timing of Hatch's statements was rather ironic. According to a "Wired" report (see the first URL below), at the time the statements were made, Hatch's Web site was using unlicensed copyrighted JavaScript code to facilitate its menu system. (A notice posted on Milonic Solutions' Web site--see the second URL below--states that the license issue with Hatch's Web site has been resolved.) If Hatch's ideas became law, the computer running his Web site could have been destroyed and Hatch, a lawmaker, denied due process. I seriously doubt that he would have appreciated that. http://www.wired.com/news/politics/0,1283,59305,00.html http://www.milonic.co.uk/menu/

According to "Wired," the JavaScript code on Hatch's Web site belongs to Milonic Solutions, whose menuing-system code was (at the time of this writing) being used without license across large parts of Continental Airlines' Web site. Furthermore, according to Milonic Solutions, someone had stripped all copyright notices from the menuing code Continental uses. Imagine the impact if a Trojan horse were legally unleashed to destroy Continental's computers. Make any sense to you?

Many copyright holders need a way to better control unauthorized duplication of their works. But using Trojan horses to destroy computers isn't a good answer. Microsoft's Digital Rights Management (DRM) technology might help when it comes to certain types of data. But if someone really wants to pirate copyrighted materials (e.g., code, multimedia, documents), current computer technology--including DRM--simply can't prevent that piracy 100 percent of the time. Quite a dilemma.

==========

==== 2. Security Risks ==== contributed by Ken Pfeil, ken@winnetmag.com

Cross-Site Scripting and Script-Injection Vulnerabilities in IE Two new vulnerabilities in Microsoft Internet Explorer (IE) can result in the execution of arbitrary code on the vulnerable system. The cross-site scripting vulnerability results from IE not filtering a displayed URL properly and might cause the browser to render HTML passed in the querystring of the URL. The script-injection vulnerability results from a flaw in a common function that internal resources use. An attacker can exploit this flaw to execute script commands in the My Computer zone. Microsoft was notified on February 20, 2003, but hasn't yet released a fix for these problems. http://www.secadministrator.com/articles/index.cfm?articleid=39344

==== 3. Announcements ==== (from Windows & .NET Magazine and its partners)

Attend the Black Hat Briefings & Training, July 28-31 in Las Vegas This is the world's premier technical IT security event, with lots of Windows sessions! 10 tracks, 15 training sessions, 1800 delegates from 30 nations including all of the top experts from CSOs to "underground" security specialists. See for yourself what the buzz is all about! Early-bird registration ends July 3. This event will sell out. http://www.blackhat.com

New Active Directory Web Seminar! Discover how to securely managing Active Directory (AD) in a multiforest environment, establish attribute-level auditing without affecting AD performance, enhance secure permission management with "Roles," and more! There's no charge for this event but space is limited--register today! http://www.winnetmag.com/seminars/securead

==== 4. Security Roundup ====

News: CERT Bulletin Leaked Early--Again An anonymous person has again posted vulnerability information gleaned from CERT. http://www.secadministrator.com/articles/index.cfm?articleid=39320

News: Microsoft Helps Improve Web Application Security Microsoft announced the release of a new guide, "Improving Web Application Security: Threats and Countermeasures," designed to help developers create intrusion-resistant applications. http://www.secadministrator.com/articles/index.cfm?articleid=39321

Feature: 3 Tiers for Your CA Hierarchy Joseph Neubauer explains why setting up a three-tiered Certificate Authority (CA) hierarchy is usually a better approach than using a one- or two-level CA. Check the article out on our Web site! http://www.secadministrator.com/articles/index.cfm?articleid=39244

==== 5. Instant Poll ====

Results of Previous Poll: Certifications and Hiring The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Does your company hire IT administrators based on certifications?" Here are the results from the 164 votes. - 2% We hire based largely on certifications - 18% We hire based on certifications and experience - 51% We consider certifications secondary to work experience - 29% We hire based only on proven experience

New Instant Poll: Fighting Software Piracy The next Instant Poll question is, "Do you think legalizing the destruction of software pirates' computers is a reasonable course of action?" Go to the Security Administrator Channel home page and submit your vote for a) Yes or b) No. http://www.secadministrator.com

==== 6. Security Toolkit ====

Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda

FAQ: How Can I Enable Advanced File-System and Sharing Security for a Windows XP Machine in a Workgroup? (contributed by John Savill, http://www.windows2000faq.com)

A. When an XP machine belongs to a domain with shared resources, a Security tab appears on the Properties dialog box for the file, folder, or share. You can use this tab to assign advanced sharing permissions. However, this tab is missing for XP machines that belong to a workgroup.

A new feature in XP effectively logs all remote logons in a workgroup as Guest, regardless of the account and password credentials that the remote computer passes. (This approach avoids the need for different machines in a workgroup to replicate local accounts, which is the method Windows 2000 uses to enable transparent sharing.) XP locks down the Everyone group (to which Guest belongs) permissions, which cuts down on the security problems that an enabled Guest account in Win2K caused. Because all machines in a workgroup are effectively Guest connections, the advanced security features aren't very useful, which is why Microsoft disabled them in XP.

If you want to enable advanced file-system and sharing security, you must disable the ForceGuest registry setting by performing the following steps: 1. Start a registry editor (e.g., regedit.exe). 2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey. 3. Double-click forceguest, set it to 0, then click OK. 4. Restart the computer for the change to take effect.

If you disable the Guest account but enable the ForceGuest setting, remote connections will fail, regardless of the username and password the user passes in--even if these credentials are valid.

==== 7. Event ====

Storage Road Show Event Archived! Couldn't make the HP & Microsoft Network Storage Solutions Road Show? View the taped event archives from your Web browser! http://www.winnetmag.com/roadshows/nas

==== 8. New and Improved ==== by Sue Cooper, products@winnetmag.com

Set Up Wireless and Wired Security with One Firewall WatchGuard Technologies announced the Firebox SOHO 6 Wireless, a line of firewall/VPN appliances that provide wireless and wired security for small businesses, remote offices, and telecommuters. Features include an integrated 802.11b Wireless Access Point (WAP), four-port LAN 10/100 switch, remote management from a central location, dynamic DNS (DDNS) support, desktop antivirus, meshed VPN topology, and an intuitive Web-based UI for configuration. Users are required to set up security on the Firebox SOHO 6 Wireless before enabling the wireless connection in order to ensure the network is protected from the outset. Each of the three Firebox SOHO 6 Wireless family models includes a 90-day renewable subscription to WatchGuard's LiveSecurity Service, for systematic updates and security intelligence. Contact WatchGuard Technologies at 206-521-8340 or information@watchguard.com. http://www.watchguard.com

Submit Top Product Ideas Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshot@winnetmag.com.

==== 9. Hot Thread ====

Windows & .NET Magazine Online Forums http://www.winnetmag.com/forums

Featured Thread: Hardening the TCP/IP Stack (Five messages in this thread)

A user writes that his company has several security measures in place through Group Policy, as well as certain ACL adjustments that include the registry on his servers. His servers are also protected by a firewall. In the past, he's hardened the stack for servers sitting in the demilitarized zone (DMZ) that have direct connections to the Internet, but not for member servers. He wants to know whether it's a good idea for him to also harden his member servers' TCP/IP stacks. Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=59755

==== Sponsored Link ====

FaxBack Integrate FAX into Exchange/Outlook (Whitepaper, ROI, Trial) http://www.faxback.com/w2ksponsorlink

AutoProf Jerry Honeycutt Desktop Deployment Whitepaper http://www.AutoProf.com/Update_TextLinks_2003_06_23.html

=========

==== 10. Contact Us ====

About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com

=============== This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing Windows and related technologies. Subscribe today. http://www.secadministrator.com/sub.cfm?code=saei25xxup

Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.