Security UPDATE, August 20, 2003

Windows & .NET Magazine Security UPDATE--August 20, 2003

===============

==== This Issue Sponsored By ====

Windows Scripting Solutions http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBTy0AH

==========

1. In Focus: Properly Timing Full Disclosure

2. Security Risks - DoS in Cisco CSS 11000 Series Content Switches - DoS in Meteor FTP Server for Windows - Multiple Vulnerabilities in NetWin's SurgeLDAP - Multiple Vulnerabilities in CiscoWorks Common Management Foundation

3. Announcements - Get the eBook That Will Help You Get Certified! - Active Directory eBook Chapter 3 Published!

4. Security Roundup - Feature: Evaluating ICF - Feature: Security IS Your Concern

5. Instant Poll - Results of Previous Poll: RPC/DCOM Probing - New Instant Poll: The RPC/DCOM Worms

6. Security Toolkit - Virus Center - FAQ: How Do I Enable ICF?

7. Event - New--Mobile & Wireless Road Show!

8. New and Improved - Control Device Usage - Assess Web Security and Defend Servers - Submit Top Product Ideas

9. Hot Threads - Windows & .NET Magazine Online Forums - Featured Thread: Help with Patch for MS03-026/Q823980I.exe - HowTo Mailing List: - Featured Thread: How to Verify Local Administrator Passwords

10. Contact Us See this section for a list of ways to contact us.

==========

==== 1. In Focus: Properly Timing Full Disclosure ==== by Mark Joseph Edwards, News Editor, mark@ntsecurity.net

Full disclosure has spurred hot security debates for years. As you know, the Organization for Internet Safety (OIS) has been leading the latest effort toward establishing a more responsible disclosure policy.

In the past, I've advocated full disclosure for learning purposes--as have many security professionals. Although I knew that "black hats" use published code to wreak havoc on other people's systems, I saw a benefit in what legitimate scientific researchers ("white hats") could learn by having that code available. The trade-off seemed reasonable then, and it still does--but the timing of information release is obviously a problem.

Now, even if somebody's published code can be useful (e.g., the code can show that a patch might be broken another way)--far more often than not, that benefit doesn't outweigh the danger of someone taking that code, twisting it into an attack mechanism, and unleashing it on the Internet shortly after the code is released. Clearly, the act of publishing such code only days after the problem has been reported is irresponsible, dangerous, and potentially damaging. Therefore, I want to make it clear that I don't condone such behavior, nor do I condone anyone's use of code for malicious purposes.

Some full-disclosure proponents imply that users deserve to be attacked because they use Microsoft software and the software is full of security holes. That's just another jab at Microsoft. Other proponents maintain that users are responsible for their own problems because they should load available patches. However, as we know, loading patches isn't always the best first step to prevent intrusion. And--although users do need to take responsibility for security--the latter attitude is a short-sighted way to address the victims of predators. Why not use the opportunity to teach people about better security?

The remote procedure call (RPC)/Distributed COM (DCOM) worm (MBlaster) offers a good example of when loading a patch wasn't necessarily the best first step. For some people, loading the Microsoft patch might have actually been the slowest way to defend themselves; for others, the patch wasn't required at all. Also, many people didn't load the patch on their systems, yet their network Intrusion Detection System (IDS) didn't pick up any attempts of the worm trying to infiltrate. The worm might not have scanned that particular network address block looking for open systems, or those people might have defended themselves by other means, such as Network Address Translation (NAT), border firewalls, server firewalls, desktop firewalls, and antivirus software.

In cases in which patches were required, we can't reasonably blame users for not patching their systems fast enough--because all users have their own issues. Also, not everybody uses the Internet constantly, and those who don't might not immediately come across the latest news of a security outbreak. Some home users might not turn on their computers daily or even weekly, and others are ignorant about many security problems and products, including firewalls and antivirus software. Whatever responsibility we assign to them for their own security, they should carry far less blame than the perpetrators.

Some small office/home office (SOHO) users are in a similar predicament; they too might lack the knowledge to gauge the problem as well as the resources to become educated and to properly administer their networks. But they still need to be better protected through their own efforts and through responsible disclosure practices. Large enterprises probably have access to the personnel and know-how, but in any given instance, they might lack the resources to move as swiftly as they'd like.

Obviously, something more must be done to help slow the initial release of malicious programs. Knowing that, I can immediately think of two ways (ideas that others have long held).

The OIS is already taking steps to promote responsible disclosure, which includes limiting who has early access to working exploit code. I think that's a good step, but perhaps we can do more.

Still, mailing lists and other types of discussion forums present a challenge. Some of these forums promote full disclosure with the intent of legitimate study. Even so, rogue elements are an ever-present problem. I question whether a truly responsible student of security would quickly post code (before users have time to become aware of the danger as well as ample time to protect themselves) to a forum in which rogue elements undoubtedly lurk.

If people are responsible, they should try to find a safe outlet for the work they want to publish, one for which timing is a primary consideration. Although finding a safe outlet that considers timing paramount seems like common sense, I point out the need to do so because a few popular forums have long been used to publish security information--so much so that they're "traditional" elements in the security arena. The interchange among the forums' users is largely professional, the signal-to-noise ratio is low, and the discussions stay on topic. Most of you probably know which forums I'm talking about.

Could the operators of those forums become a part of responsible disclosure by more carefully taking into consideration the need for adequate timing--despite the fact that allowing such posting has been longstanding policy? Even in instances in which the posted code is somehow "broken on purpose" to prevent the less educated from using it maliciously, it still presents a danger, especially when people don't consider timing. Let's face it, the worst offenders are smart, so posting broken code is irresponsible disclosure because sooner or later, some attacker will fix and use it. Let's not give them a head start.

By limiting public disclosure of code (and command sequences) related to vulnerabilities, a line will begin to appear dividing responsible security students who do have the public interest entirely at heart from those who don't "get" the inherent dangers of some forms of open discussion when conducted at the wrong time. Security students can find other ways to conduct and discuss security vulnerability details without resorting to a public forum that anyone with an email address can join unchecked.

==========

==== Sponsor: Windows Scripting Solutions ====

Windows Scripting Solutions for the Systems Administrator

You might not be a programmer, but that doesn't mean you can't learn to create and deploy timesaving, problem-solving scripts. Discover Windows Scripting Solutions, the monthly print publication that helps you tackle common problems and automate everyday tasks with simple tools, tricks, and scripts. Try a sample issue today at: http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBTy0AH

==========

==== 2. Security Risks ==== contributed by Ken Pfeil, ken@winnetmag.com

DoS in Cisco CSS 11000 Series Content Switches Cisco Systems' Cisco CSS 11000 series content service switches are vulnerable to a Denial of Service (DoS) condition. By delivering a heavy load of TCP SYN packets directed to the Cisco CSS's circuit address, a malicious user can cause a high CPU load or even sudden reboots, resulting in a DoS condition. Cisco recommends upgrading the software to release WebNS 5.00.110s, which you can download from the company's Web site. http://www.secadministrator.com/articles/index.cfm?articleid=39846

DoS in Meteor FTP Server for Windows A Denial of Service (DoS) condition exists in Meteor FTP 1.5 for Windows. By connecting to the Meteor FTP server and issuing the USER command followed by large amounts of data, someone can cause the FTP server to stop responding. http://www.secadministrator.com/articles/index.cfm?articleid=39845

Multiple Vulnerabilities in NetWin's SurgeLDAP Zive Kamir discovered four new vulnerabilities in NetWin's SurgeLDAP, the most serious of which could result in a Denial of Service (DoS) condition. NetWin recommends upgrading to the latest release of SurgeLDAP, which is available on the company's Web site. http://www.secadministrator.com/articles/index.cfm?articleid=39885 Multiple Vulnerabilities in CiscoWorks Common Management Foundation Two vulnerabilities exist in Cisco Systems' CiscoWorks Common Management Foundation (CMF) 2.1 and earlier, the more serious of which could let an attacker execute arbitrary commands on the vulnerable server. Cisco has published a notice regarding these vulnerabilities and is making patches available for CMF 2.1 and CMF 2.0 free of charge through standard support channels. http://www.secadministrator.com/articles/index.cfm?articleid=39884

==== Sponsor: Virus Update from Panda Software ====

Check for the latest anti-virus information and tools, including weekly virus reports, virus forecasts, and virus prevention tips, at Panda Software's Center for Virus Control. http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBlT0A3

Viruses routinely infect "fully protected" networks. Is total protection possible? Find answers in the free guide HOW TO KEEP YOUR COMPANY 100% VIRUS FREE from Panda Software. Learn how viruses enter networks, what they do, and the most effective weapons to combat them. Protect your network effectively and permanently - download today! http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBDp0Aq

==========

==== 3. Announcements ==== (from Windows & .NET Magazine and its partners)

Get the eBook That Will Help You Get Certified! The "Insider's Guide to IT Certification," from the Windows & .NET Magazine Network, has one goal: to help you save time and money on your quest for certification. Find out how to choose the best study guides, save hundreds of dollars, and be successful as an IT professional. The amount of time you spend reading this book will be more than made up by the time you save preparing for your certification exams. Order your copy today! http://winnet.bookaisle.com/ebookcover.asp?ebookid=13475

Active Directory eBook Chapter 3 Published! The third chapter of Windows & .NET Magazine's popular eBook "Windows 2003: Active Directory Administration Essentials" is now available at no charge! Chapter 3 looks at what's new and improved with Windows Server 2003 Active Directory management. Download it now! http://www.windowsitlibrary.com/ebooks/administeringad/index.cfm?pc=adupd

==== 4. Security Roundup ====

Feature: Evaluating ICF In response to a continuous onslaught of malicious Internet cracking, Microsoft has included the bare-bones Internet Connection Firewall (ICF) with Windows XP Home Edition and XP Professional Edition. This firewall lacks many of the frills of commercially available personal firewalls, but if you configure it correctly, ICF can provide basic, one-way security protection against mischievous probes and malicious software (malware). The author discusses the ICF firewall and examines configuration settings that can maximize its effectiveness in your enterprise. ICF might not win any security-industry awards, but using it will make your PC and your network safer. http://www.secadministrator.com/articles/index.cfm?articleid=25727&pg=1

Feature: Security IS Your Concern Even if security isn't your primary responsibility at your site, it's too important for you to ignore. We all need to take some responsibility for the security of our database systems, even if that's not our official job function. Brian Moran directs you to some best practices and guidelines that will to help you play a responsible role in your company's security. http://www.sqlmag.com/articles/index.cfm?articleid=39842

==== 5. Instant Poll ====

Results of Previous Poll: RPC/DCOM Probing The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Has your company experienced someone probing to determine whether your systems are vulnerable to a remote procedure call(RPC)/Distributed COM (DCOM) exploit?" Here are the results from the 196 votes. - 70% Yes - 17% No - 13% I'm not sure

New Instant Poll: The RPC/DCOM Worms The next Instant Poll question is, "Now that remote procedure call (RPC)/Distributed COM (DCOM) worm variants have appeared, have they affected your network or systems?" Go to the Security Administrator Channel home page and submit your vote for a) Yes, b) No--We patched against it, c) No--We patched and used other defenses, or d) No--We used other defenses, but not the patch. http://www.secadministrator.com

==== 6. Security Toolkit ====

Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda

FAQ: How Do I Enable ICF? contributed by Microsoft

A. Internet Connection Firewall (ICF) is built into Windows XP and Windows Server 2003. You'll find the dialog boxes that let you enable the firewall under the Network Settings in the Control Panel. You can also enable ICF using Active Directory (AD) Group Policy. For more step-by-step information about setting up ICF, visit Microsoft's Web site at the first URL below. For details about ICF features and known issues, visit the second URL below. http://www.microsoft.com/windowsxp/pro/using/howto/networking/icf.asp http://www.microsoft.com/technet/prodtechnol/winxppro/plan/icf.asp

==== 7. Event ====

New--Mobile & Wireless Road Show! Learn more about the wireless and mobility solutions that are available today! Register now for this free event! http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BA8Y0AG

==== 8. New and Improved ==== by Sue Cooper, products@winnetmag.com

Control Device Usage SmartLine announced DeviceLock 5.5, software that lets you restrict access to USB and FireWire (IEEE 1394) devices on Windows Server 2003/XP/2000/NT. Following installation, you can assign the appropriate privileges to each user or user group for access to floppy drives, other removable media, CD-ROM drives, tape devices--or USB, FireWire, infrared (IR), and serial and parallel ports. DeviceLock lets you control when, how, and which users can use various devices inside your network. You can also use DeviceLock 5.5 to flush a storage device's buffers. The price is $35 for a single user license. Contact SmartLine at sales@protect-me.com. http://www.protect-me.com

Assess Web Security and Defend Servers NTOBJECTives released the Fire & Water Toolkit 1.02 to help you discover and map your network architecture, pinpoint Web servers vulnerable to attack, protect against the highest-risk Web vulnerabilities, and provide comprehensive HTML reporting with data trending. Methods employed include Web server fingerprinting to identify Web server platforms regardless of banner or stack manipulation; advanced page proofing to determine whether a requested resource is on the target or has been designed to return custom error messages; and smart vulnerability selection to select and execute only the vulnerabilities relevant to each target, according to the accurate identification of your Web server platform. The Fire & Water Toolkit 1.02 is free for personal use; for enterprise users, the cost is $199 per user or $999 for an unlimited enterprise license. Contact NTOBJECTives at 949-635-0981 or info@ntobjectives.com. http://www.ntobjectives.com

Submit Top Product Ideas Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshot@winnetmag.com.

==== 9. Hot Thread ====

Windows & .NET Magazine Online Forums http://www.winnetmag.com/forums

Featured Thread: Help with Patch for MS03-026/Q823980I.exe (Nine messages in this thread)

A user writes that he has a Dell server running Windows NT 4.0 Server with Service Pack 6a (SP6a). When he tries to execute hotfix Q823980I.exe, which is related to Microsoft Security Bulletin MS03-026 (Buffer Overrun In RPC Interface Could Allow Code Execution) on his server, he receives two error messages. First, a message box appears with a red X and the words "Setup Error - The operation completed successfully." After clicking the OK button, which is the only option, he receives a second setup error box with a red X and the message "Windows NT 4.0 Hotfix installation did not complete." His only option at that point is to again click the OK button. So, the patch isn't loaded and isn't applied.

Dell Custom Factory Integration installed NT 4.0 Server with SP6a when the organization purchased the server, which is identical to his other server on which he deployed the patch with no problem. Does anyone have any idea what went wrong on this particular server? He has tried shutting down all applications and all unnecessary NT services, but that did not help. Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=62281

HowTo Mailing List http://63.88.172.96/listserv/page_listserv.asp?s=howto

Featured Thread: How to Verify Local Administrator Passwords (Six messages in this thread)

A user writes that he's attempting check whether the local administrator password is different from one of five possible passwords, and he wants to output the list of noncompliant machines to a text file. He wants to know about tools, scripts, or insights into how to accomplish these tasks. Lend a hand or read the responses. The thread begins at the first URL below and continues at the second URL. http://63.88.172.96/listserv/page_listserv.asp?A2=IND0308A&L=HOWTO&P=193 http://63.88.172.96/listserv/page_listserv.asp?A2=IND0308B&L=HOWTO&P=193

==== Sponsored Links ====

Ultrabac FREE live trial-Backup & Disaster Recovery software w/ encryption http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBi50AU

CrossTec Free Download - NEW NetOp 7.6 - faster, more secure, remote support http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBnb0AK

=========

==== 10. Contact Us ====

About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com

=============== This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing Windows and related technologies. Subscribe today. http://www.secadministrator.com/sub.cfm?code=saei25xxup

Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.