Security UPDATE, May 21, 2003 Security Administrator

Windows & .NET Magazine Security UPDATE--May 21, 2003

===============

==== This Issue Sponsored By ====

RippleTech http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BAOq0A2

Research in Motion http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BAOr0A3 (below IN FOCUS)

==========

1. In Focus: Is Trustworthy Computing Trustworthy Yet?

2. Security Risks - Arbitrary Code Execution Vulnerability in Microsoft WMP - Multiple Vulnerabilities in Cisco VPN 3000 Series VPN Concentrators

3. Announcements - How Can You Reclaim 30% to 50% of Windows Server Space? - Guide to Securing Your Web Site for Business

4. Security Roundup - News: New Technology for the Packet Police - News: Virtual Machine Security Melts in the Heat of Attack - News: It's a Worm, It's a Trojan Horse, It's a Keystroke Logger. It's Fizzer - News: Hotmail and .NET Passport Open to Account Theft? - Feature: 5 Techniques for Establishing Highly Secure Systems

5. Security Toolkit - Virus Center - FAQ: How Can I Track Network Users Who Use the Telnet Service to Remotely Log On to My Computer?

6. Event - Security 2003 Road Show 7. New and Improved - Install Turnkey Security Appliance Platform - Manage Digital Identities with PKI-Based Security - Submit Top Product Ideas

8. Hot Thread - Windows & .NET Magazine Online Forums - Featured Thread: ISA Server Losing Persistent Route

9. Contact Us See this section for a list of ways to contact us.

==========

==== Sponsor: RippleTech ====

Protect Your Company Now From the Trusted Intruder with Informant How do you find out if employees are abusing their privileges to access confidential corporate assets? Most companies don't find out until it's too late. Informant is an internal security monitoring, auditing and reporting solution that tells you exactly what's happening on your network . . . from the inside! Informant's granular data capture tracks an employee's every step and notifies you of suspicious activity. Its robust reporting provides instant access to the critical information needed to minimize security risks. Plus, Informant's sensitive file auditing can detect potential electronic theft of data. Find out now how you can protect your company's information assets against internal security threats with Informant today at: http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BAOq0A2

==========

==== 1. In Focus: Is Trustworthy Computing Trustworthy Yet? ==== by Mark Joseph Edwards, News Editor, mark@ntsecurity.net

Microsoft recently launched the Windows Server 2003 OS. It's probably the company's best effort to date at rolling out a secure product. So far, no one has reported security problems with the new OS, but it's still early. Attackers haven't yet hammered on Windows 2003 enough to determine whether its armor has chinks.

However, Microsoft's effort to establish itself as a maker of trustworthy computing products has encountered some other difficulties. As you'll learn from the news story "Hotmail and .NET Passport Open to Account Theft?" in this week's Security UPDATE, Microsoft Passport has an exploitable vulnerability. The Passport problem's simplicity shows that developers didn't think broadly enough about how attackers might try to subvert Passport security. Microsoft has corrected the problem, which is good--but I'm sure Passport account holders wonder whether the service contains other problems.

The NTBugtraq mailing list recently brought to light a second trustworthiness problem--with the Windows Update service. Countless users rely on the service to obtain patches for their Microsoft products. On May 12, Bob Terry posted a message to the list stating that while he was patching systems, Windows Update began reporting back to his systems that no updates were available. He wondered whether the service was down.

NTBugtraq Editor Russ Cooper posted a reply stating that many other users were reporting similar problems. After comparing notes with other users and checking further, Cooper posted another message to the list that summarizes his findings. He discovered that many users had to tweak various aspects of their systems and perform secondary or tertiary checks to determine whether their systems were up-to-date. Below you'll find what Cooper had to say, excerpted for brevity (you can read Cooper's entire post at the URL below): http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0305&L=ntbugtraq&F=P&S=&P=4505

"For at least the past several days, Windows Update has been providing consumers with false information. Windows Update users would connect \[and\] initiate the scan. \[The scan\] would complete and inform \[users that\] their system needed no patches. Wonderful, a clean bill of health, or so the consumer thought.

"In reality, some flaw in the Windows Update process has led it to conclude that a system in need of critical security patches is instead clean and good to go on the Internet. In other words, if the security check fails, tell consumers they're just fine and don't need anything ...

"You wouldn't believe the number of individual \[reports about problems with Windows Update\] I've received. No doubt Microsoft receives far more than I do. I can't believe that huge corporations are having the problems they are, nor can I believe they haven't received a reasonable answer from Microsoft as to why the problems exist ...

"If \[those at Microsoft were\] serious about beginning to tackle the trustworthiness of Microsoft, they'd have done something a year ago when I first called Windows Update a dog. See for yourself, look at my previous musings \[see the URLs below\], then tell me what's been fixed or improved. If, like me, you see nothing ... then the Trustworthy Computing Initiative once again gets an 'F'."

http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0204&L=ntbugtraq&F=P&S=&P=6886 http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0204&L=ntbugtraq&F=P&S=&P=6990

Cooper makes some reasonable observations and valid points. If Windows Update doesn't behave properly, Microsoft should return a message stating that the service is experiencing a problem instead of returning the ambiguous message "no updates available."

The Passport vulnerability and the Windows Update errors seem to reveal a lack of perspective on Microsoft's part. Granted, software will continue to have flaws. However, if we're to trust Microsoft's secure computing initiative as the company undoubtedly wants us to, then Microsoft's software and services must become more secure--and that security includes being more informative.

What do you think? Is Trustworthy Computing trustworthy yet? Send me an email with your thoughts and experiences.

==========

==== Sponsor: Research in Motion ====

NEW BLACKBERRY SECURITY WHITE PAPER Prevent wireless handhelds from compromising your enterprise security! Download the BlackBerry Security White Paper for Microsoft Exchange and learn how the BlackBerry security architecture addresses data encryption, corporate firewalls, lost devices, and other critical security concerns. http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BAOr0A3

==========

==== 2. Security Risks ==== contributed by Ken Pfeil, ken@winnetmag.com

Arbitrary Code Execution Vulnerability in Microsoft WMP Jouko Pynnonen and Jelmer discovered that a vulnerability in Windows Media Player (WMP) 8.0 and WMP 7.1 can result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from a flaw in the way WMP handles the download of skin files. The flaw could let an attacker force a file (e.g., a malicious executable) masquerading as a skin file into a certain location on a user's machine. Microsoft has released Security Bulletin MS03-017 (Flaw in Windows Media Player Skins Downloading could allow Code Execution) to address this vulnerability. http://www.secadministrator.com/articles/index.cfm?articleid=38993

Multiple Vulnerabilities in Cisco VPN 3000 Series VPN Concentrators Multiple vulnerabilities exist in the Cisco VPN 3000 Series Concentrator, the most serious of which can let an attacker access the internal hosts on the IP Security (IPSec) over TCP-configured ports. The other two vulnerabilities can result in a Denial of Service (DoS) condition on the VPN Concentrator. Cisco Systems has released an advisory and a fix for affected customers, which you can obtain from the company's Web site. The company recommends that customers upgrade to fixed software versions, as detailed in this documentation. http://www.secadministrator.com/articles/index.cfm?articleid=38994

==== 3. Announcements ==== (from Windows & .NET Magazine and its partners)

How Can You Reclaim 30% to 50% of Windows Server Space? Attend the newest Web seminar from Windows & .NET Magazine and discover the secrets from the experts. We'll also advise you on how to reduce storage growth and backups by 30% and how to reduce storage administration by 25% or more. There's no charge for this important Web event, but space is limited so register today! http://www.winnetmag.com/seminars/precise

Guide to Securing Your Web Site for Business Download VeriSign's new whitepaper, "Guide to Securing Your Web Site For Business," and discover the practical business benefits of securing your Web site. You'll also learn more about the innovative processes and technologies VeriSign uses to address Internet security issues. Download your free copy now! http://www.verisign.com/resources/gd/secureBusiness/index.html

==== 4. Security Roundup ====

News: New Technology for the Packet Police Cisco Systems has introduced new technology that will let law enforcement agencies and ISPs police both networks and people. According to Cisco, one new capability already present in routers but not yet deployed is the ability to tap both IP telephony calls and data streams. Another is a new Bandwidth Processing Engine (BPE) for the company's uBR7246VXR Cable Modem Termination System (CMTS). http://www.secadministrator.com/articles/index.cfm?articleid=39020

News: Virtual Machine Security Melts in the Heat of Attack Sudhakar Govindavajhala and Andrew W. Appel presented a paper at the 2003 IEEE Symposium about Security Privacy that demonstrates a method of defeating security of virtual machine products such as Microsoft Virtual Machine (VM) and Sun Microsystems and IBM Java virtual machines. The men discovered that they could use a heat lamp to flip bits in memory chips, causing their own untrusted code to run within the virtual machine. http://www.secadministrator.com/articles/index.cfm?articleid=39024

News: It's a Worm, It's a Trojan Horse, It's a Keystroke Logger. It's Fizzer A new worm, dubbed Fizzer, is spreading around the Internet through email and peer-to-peer (P2P) networks. Fizzer carries quite a hostile payload compared with past worms. http://www.secadministrator.com/articles/index.cfm?articleid=39016

News: Hotmail and .NET Passport Open to Account Theft? According to a message posted by Muhammad Faisal Rauf Danka to the BugTraq mailing list, Microsoft's .NET Passport service is wide open to attackers who use a Passport user's Hotmail account to reset the password. Danka claims to have found a certain Passport URL that anyone can enter into a Web browser and thereby hijack a user's Passport account. Microsoft removed access to the vulnerable URL that Danka described. http://www.secadministrator.com/articles/index.cfm?articleid=39001

Feature: 5 Techniques for Establishing Highly Secure Systems Microsoft has documented five TCP registry modifications you can implement to reduce a Windows 2000 system's vulnerability to Denial of Service (DoS) attacks and other common exploits. These techniques are suitable for Win2K systems connected to a WAN or the Internet and for sites operating under strict security controls. Read Paula Sharick's article on our Web site to learn about them. http://www.secadministrator.com/articles/index.cfm?articleid=25027

==== 5. Security Toolkit ====

Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda

FAQ: How Can I Track Network Users Who Use the Telnet Service to Remotely Log On to My Computer? contributed by Randy Franklin Smith, rsmith@montereytechgroup.com

A. You need to first enable auditing for Audit logon events and Audit process tracking. Then, look in your event log for an event ID 592 (a new process has been created) for which where the image base filename is tlntsess.exe. Note the Logon ID, and scan the event log for an event ID 528 (successful logon) with the same Logon ID. The User Name in event ID 528 identifies who logged on using the Telnet service.

==== 6. Event ====

Security 2003 Road Show Join Mark Minasi and Paul Thurrott as they deliver sound security advice at our popular Security 2003 Road Show event. http://www.winnetmag.com/roadshows/security2003

==== 7. New and Improved ==== by Sue Cooper, products@winnetmag.com

Install Turnkey Security Appliance Platform 14 South Networks announced IntraLock, a security appliance platform that lets you integrate several vendors' security applications into your servers without affecting the host platform. IntraLock is a turnkey solution that includes hardware that installs in a standard PCI slot, software, and centralized management. VPN work is performed on IntraLock, rather than on the server itself. IntraLock supports three security mechanisms: inbound, outbound, and data stream. IntraLock is available from Value Added Resellers (VARs) and systems integrators. Prices range from $2495 to $4495. Contact 14 South Networks at 866-414-7688, 561-862-5100, or sales@14south.com. http://www.14south.com

Manage Digital Identities with PKI-Based Security Entrust released Entrust Authority Security Manager 7.0, a public key infrastructure (PKI)-based solution to manage the life cycles of certificate-based digital identities--consistently enabling encryption, digital signatures, and authentication capabilities across applications and platforms. This new version offers support for Microsoft smart card logon, additional key pair support for Encrypting File System (EFS), and improved support for Active Directory (AD). Enhanced policy control includes flexible storage options for digital identities, support for legally binding digital signatures, and flexible certificate lifetime policy. Improved audit and reporting capabilities now let you monitor status information to immediately address availability issues and format the reports using XML. Entrust Authority Security Manager 7.0 supports Windows and UNIX environments. Contact Entrust at 888-690-2424 or entrust@entrust.com. http://www.entrust.com

Submit Top Product Ideas Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshot@winnetmag.com.

==== 8. Hot Thread ====

Windows & .NET Magazine Online Forums http://www.winnetmag.com/forums

Featured Thread: ISA Server Losing Persistent Route (Two messages in this thread)

A user writes that he has Microsoft Internet Security and Acceleration (ISA) Server 2000, which he uses as a firewall, proxy, and VPN server. He had the same setup on Windows NT with Proxy Server 2.0 running. In that configuration, he never entered a default gateway in the IP settings of his local NIC. Instead, he entered a persistent route in the route table using the command shell "route" command. He has set up a new box with ISA Server and applied the same settings and theory he used with Proxy Server. However, he loses the persistent route every few days. When he uses the "route print" command, the route doesn't show up in the table. If he tries to add the route again using the "route -p add" command, he receives a response telling him that the route is already there. He wonders what the problem is. Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=58577

==== 9. Contact Us ====

About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com

=============== This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing Windows and related technologies. Subscribe today. http://www.secadministrator.com/sub.cfm?code=saei25xxup

Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.