Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows Server 2003, Windows 2000, and Windows NT systems.
http://www.secadministrator.com


THIS ISSUE SPONSORED BY

Black Hat Windows Security Briefings & Training
http://www.blackhat.com

Windows Powered NAS Web Seminar
http://www.winnetmag.com/seminars/nas
(below IN FOCUS)


SPONSOR: BLACK HAT WINDOWS SECURITY BRIEFINGS & TRAINING

Spooked about Windows security? Getting "slammed" hard by worms? Find all of the solutions at Black Hat Windows Security Briefings & Training, February 24-27 in Seattle, the world's premier technical event for Windows security experts. All of the top experts you've read about recently are speaking. Fully supported by Microsoft, with new MS hosted training sessions just added! Visit http://www.blackhat.com to register.


February 5, 2003—In this issue:

1. IN FOCUS

  • Report Says Cyber Threats Rising, New Areas of Risk

2. SECURITY RISKS

  • Session Authentication Vulnerability in Compaq Insight Manager
  • DoS in Microsoft Win2K Terminal Services

3. ANNOUNCEMENTS

  • Don't Miss Our 2 New Security Web Seminars in March!
  • Windows & .NET Magazine Connections: Learn from the Writers You Know and Trust

4. SECURITY ROUNDUP

  • News: Microsoft Renames Palladium, Gives Up Trademark Hunt
  • Feature: SQL Server SP3: To Install or Not to Install?
  • News: Microsoft Revised Five Security Bulletins

5. INSTANT POLL

  • Results of Previous Poll: Security Administrative Duties
  • New Instant Poll: Slammer/Sapphire Worm

6. SECURITY TOOLKIT

  • Virus Center
  • Virus Alert: W32/SQLSlammer
  • FAQ: Having Trouble Enabling SSL on Your Site?

7. NEW AND IMPROVED

  • Centrally Manage Sidewinder Firewalls
  • Capture and Analyze Your Network Traffic
  • Submit Top Product Ideas

8. HOT THREAD

  • Windows & .NET Magazine Online Forums
  • Featured Thread: Do IPSec Policies Slow Server Response?
  • HowTo Mailing List:
  • Featured Thread: Are MAILTO and POST Safe for Transactions?

9. CONTACT US

  • See this section for a list of ways to contact us.

1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, mark@ntsecurity.net)

  • REPORT SAYS CYBER THREATS RISING, NEW AREAS OF RISK

  • One glaringly apparent aspect of the Slammer/Sapphire worm is that it didn't carry a destructive payload. That is, it did no damage to the systems to which it propagated. Instead, it consumed huge amounts of bandwidth because it could spread so rapidly. For a great technical analysis of the worm, visit one of the URLs below:
    http://www.caida.org/analysis/security/sapphire/
    http://www.silicondefense.com/sapphire/
    http://www.cs.berkeley.edu/~nweaver/sapphire/

    Unlike Slammer/Sapphire, many intrusive pieces of code have carried destructive payloads, and some of them also propagated by a variety of means, including through file systems, file-sharing systems, email systems, and open ports with vulnerable services. Nimda, Opaserv, Bugbear, and Klez are examples of such malicious code.

    This week, Symantec released the "Symantec Internet Security Threat Report, Volume III," available at the URL below. According to the new report, the Opaserv, Bugbear, and Klez threats alone accounted for nearly 80 percent of all malicious code during the past 6 months. Symantec says we should expect to see even more virus and worm intrusions that use a blended type of attack.
    http://enterprisesecurity.symantec.com/content.cfm?articleid=1539

    The report states that "the variety of threat types that facilitate compromises of data/system availability, confidentiality, and integrity is clearly increasing. While historical data analysis indicates that Windows 32 threats, blended threats, and self-replicating mass-mailers are all on the rise, there are several risks based on market analysis that also warrant close attention."

    Those risks include Instant Messaging (IM), peer-to-peer (P2P) applications, and mobile devices. Symantec's report states that according to Gartner, as of fourth quarter 2002, about 70 percent of enterprises use unmanaged IM software on their networks. As a result of IM's popularity, we might see virus and worm designers begin to use IM applications to spread code more widely than ever before.

    P2P networks are in the same boat as IM networks. Napster made P2P networks hugely popular, and since Napster's demise, other popular networks have cropped up (e.g., KaZaA, Limeware, Morpheus). Infectious code has already traversed P2P networks. And as P2P application use rises, so does the potential for virus and worm propagation.

    Wireless networking is hugely popular and growing by leaps. Many businesses already use wireless LANs (WLANs) to support countless mobile laptop users, and to a lesser extent, mobile PDA users, such as those who use Palm and Research In Motion's (RIM's) BlackBerry. As the computing power of new mobile devices (including cell phone/PDA combinations) increases, so does the risk of virus and worm intrusion. Symantec points out that the "always-on" nature of such devices, as well as their tendency to be remotely connected to sensitive data, will attract intrusion attempts.

    So when I consider little worms such as Slammer/Sapphire in conjunction with intrusive nuisances such as Nimda (or Opaserv, Bugbear, and Klez) and the many systems on the Internet with unpatched vulnerabilities, what comes to mind is a stage set for a more serious disaster. And Symantec's overall report points out that potential.

    We need to realize that someday, probably sooner than later, someone will likely release an incredibly nasty worm that will wreak havoc on systems by using every point of attack it can find. To be as prepared as possible, you need to use the most up-to-date antivirus software, firewalls, Intrusion Detection Systems (IDSs), and monitoring solutions possible. You must also audit your systems regularly to ensure compliance with your security policies. Because as we saw with Slammer/Sapphire, if you aren't part of the solution, you are or might become part of the problem.


    SPONSOR: WINDOWS POWERED NAS WEB SEMINAR

    NEW WEB SEMINAR: AN INTRODUCTION TO WINDOWS POWERED NAS

    Would you like to find out how to consolidate your Windows NT file servers while reducing costs? Or, do you need to formulate a solid disaster recovery plan? Mark Smith, a former MIS manager and founder of Windows & .NET Magazine, will illustrate how Windows Powered NAS can help you address these issues and more -- without impacting day-to-day business.

    Register today at:
    http://www.winnetmag.com/seminars/nas


    2. SECURITY RISKS
    (contributed by Ken Pfeil, ken@winnetmag.com)

  • Session Authentication Vulnerability in Compaq Insight Manager

  • An authentication vulnerability in Hewlett-Packard's (HP's) Compaq Insight Manager HTTP 5.1.0 can let a nonprivileged user access the system. If a legitimate user logs on to the Web Agent Service through HTTP Secure (HTTPS) on port 2301 and doesn't use the logout function, the session remains valid for 15 minutes, even after the browser is closed. This time frame can let a nonprivileged user on the same system log on with privileged access. Compaq says that version 5.3 isn't vulnerable to this condition.
    http://www.secadministrator.com/articles/index.cfm?articleid=37863

  • DoS MICROSOFT WIN2K TERMINAL SERVICES

  • A vulnerability in Windows 2000 Server Terminal Services can let a malicious user force a reboot of the terminal server. Microsoft hasn't released a fix or a response. The discoverer's posted workaround for Win2K suggests removing all permissions on msgina.dll for Power Users, Users, and Everyone.
    http://www.secadministrator.com/articles/index.cfm?articleid=37878

    3. ANNOUNCEMENTS
    (brought to you by Windows & .NET Magazine and its partners)

  • DON'T MISS OUR 2 NEW SECURITY WEB SEMINARS IN MARCH!

  • Windows & .NET Magazine has two new Web seminars to help you address your security concerns. There is no fee to attend "Selling the Importance of Security: 5 Ways to Get Your Manager's Attention" and "Building an Ultra Secure Extranet on a Shoe String," but space is limited, so register today!
    http://www.winnetmag.com/seminars

  • WINDOWS & .NET MAGAZINE CONNECTIONS: LEARN FROM THE WRITERS YOU KNOW AND TRUST

  • In-depth coverage by the world's top gurus of Windows security: Keeping Up with Service Packs and Security Patches, Identity Management with PKI, Implementing Security with Group Policy, Defend your networks by planning your own "Hack Attack," Using Event Logs to identify intruder activity, Securing wireless LANs, Managing AD Security with ADSI and WSH, Making IIS a Secure Web Server, and more.
    http://www.winconnections.com

    4. SECURITY ROUNDUP

  • NEWS: Microsoft Renames Palladium, Gives Up Trademark Hunt

  • Microsoft has revealed that it has given up trying to trademark "Palladium," the term it had given to its secure computing initiative. The company says that the technologies once called Palladium will now go by the name Next Generation Secure Computing Base, which it feels is more accurate and mature.
    http://www.secadministrator.com/articles/index.cfm?articleid=37770

  • FEATURE: SQL SERVER SP3: To Install or Not to Install?

  • Microsoft released SQL Server 2000 Service Pack 3 (SP3) on January 17, raising the inevitable question, "To install or not to install?" SQL Server Product Support Services (PSS) recommends applying the latest service pack even if you're not aware of a specific fix that will help you. If you're contemplating whether to install this service pack (especially because it helps protect against attacks such as the Slammer/Sapphire worm), be sure to read what Brian Moran has to say about it.
    http://www.secadministrator.com/articles/index.cfm?articleid=37857

  • NEWS: MICROSOFT REVISED FIVE SECURITY BULLETINS

  • Microsoft has recently revised five security bulletins: MS02-071 (Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Escalation), MS02-039 (Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution), MS02-056 (Cumulative Patch for SQL Server), MS02-043 (Cumulative Patch for SQL Server), MS02-032 (26 June 2002 Cumulative Patch for Windows Media Player). Security bulletin MS02-061 supersedes bulletins MS02-039, MS02-056, and MS02-043; technicians made notes about patch loading order in conjunction with hotfix 317748. The revision to MS02-032 fixes a broken link to the related patch.
    http://www.secadministrator.com/articles/index.cfm?articleid=37905

    5. INSTANT POLL

  • RESULTS OF PREVIOUS POLL: SECURITY ADMINISTRATIVE DUTIES

  • The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Does your company use Microsoft Internet Security and Acceleration (ISA) Server 2000?" Here are the results from the 168 votes. (Deviations from 100 percent are due to rounding errors.)
    • 64% Tightening general security
    • 17% Defending against network attacks
    • 5% Defending against Web site attacks
    • 8% Filtering Junk email
    • 5% Controlling employee surfing habits

  • NEW INSTANT POLL: SLAMMER/SAPPHIRE WORM

  • The next Instant Poll question is, "Did the Slammer/Sapphire worm directly affect your network, connectivity, or computerized activities directly?" Go to the Security Administrator Channel home page and submit your vote for a) Yes or b) No.
    http://www.secadministrator.com

    6. SECURITY TOOLKIT

  • VIRUS CENTER

  • Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
    http://www.secadministrator.com/panda

    Slammer is a worm that has the following characteristics:

    • It attacks only servers that run Microsoft SQL Server or Microsoft SQL Server Desktop Engine (MSDE).
    • It carries out its infection by exploiting a buffer-overrun vulnerability in SQL servers that don't have Service Pack 3 (SP3) installed.
    • Its strategy involves sending out multiple 376-byte files that contain the worm's code.

    Indications that Slammer has infected a machine include heavy traffic to UDP port 1434--the SQL Server Resolution Service Port.
    http://63.88.172.96/panda/index.cfm?fuseaction=virus&virusid=1350

  • FAQ: Having Trouble Enabling SSL on Your Site?

  • ( contributed by Brett Hill, http://www.iisanswers.com )

    A: A reader is trying to enable Secure Sockets Layer (SSL) on a company Web site. The company has installed a certificate but can't create an HTTP Secure (HTTPS) connection. The site works fine with HTTP, but HTTPS causes the Web browser to wait for a long time, then time out because it can't reach the server.

    Troubleshooting SSL connection problems can be tedious. Brett Hill offers a list of common problems to look for on your servers, along with detailed explanations. Check out the list of potential problems and their solutions on our Web site:
    http://www.secadministrator.com/articles/index.cfm?articleid=37815

    7. NEW AND IMPROVED
    (contributed by Sue Cooper, products@winnetmag.com)

  • CENTRALLY MANAGE SIDEWINDER FIREWALLS

  • Secure Computing released Sidewinder G2 Enterprise Manager, a rack-mount security appliance that provides central policy management and an audit-log and configuration-backup repository for your distributed Sidewinder firewalls. The appliance is built on Secure Computing's hardened version of UNIX, the SecureOS UNIX OS, which has never been compromised. Your network access policies and Security logs are stored in the system's SQL database. The Sidewinder G2 performs its secure, browser-based management through a Windows software package. Contact Secure Computing at 800-379-4944, 408-979-6572, or sales@securecomputing.com.
    http://www.securecomputing.com

  • CAPTURE AND ANALYZE YOUR NETWORK TRAFFIC

  • Sandstorm Enterprises announced NetIntercept 1.2, a hardware-based Network Forensics Analysis Tool (NFAT). NetIntercept can tell you who sent what information where, why information isn't moving, and how your systems were attacked. New features include Secure Sockets Layer (SSL) session decryption and analysis and an option to write to DVD archive media. NetIntercept 1.2 contains improved netmask-management and content-search capabilities. For more information about NetIntercept 1.2, contact Sandstorm Enterprises at 617-426-5056 and sales@sandstorm.net.
    http://www.sandstorm.net

  • SUBMIT TOP PRODUCT IDEAS

  • Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshot@winnetmag.com.

    8. HOT THREAD

  • WINDOWS & .NET MAGAZINE ONLINE FORUMS

  • http://www.winnetmag.com/forums

  • Featured Thread: Do IPSec Policies Slow Server Response?

  • (Three messages in this thread)

    A user writes that he has set up an IP Security (IPSec) policy to permit incoming traffic only on certain ports. He wants to know whether such a policy will slow down requests to the server. Lend a hand or read the responses:
    http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=52918

  • HOWTO MAILING LIST

  • http://63.88.172.96/listserv/page_listserv.asp?s=howto

  • Featured Thread: Are MAILTO and POST Safe for Transactions?

  • (Three messages in this thread)

    A user wants to know what the dangers are if someone sends a credit card number over the Internet using MAILTO and POST links? Read the responses or lend a hand at the following URL:
    http://63.88.172.96/listserv/page_listserv.asp?A2=IND0301E&L=HOWTO&P=281

    9. CONTACT US
    Here's how to reach us with your comments and questions:

    • ABOUT IN FOCUS — mark@ntsecurity.net
    • ABOUT THE NEWSLETTER IN GENERAL — letters@winnetmag.com

    (please mention the newsletter name in the subject line)

    • TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
    • PRODUCT NEWS — products@winnetmag.com
    • QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION?
      Customer Support — securityupdate@winnetmag.com
    • WANT TO SPONSOR SECURITY UPDATE?
      emedia_opps@winnetmag.com

    This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
    http://www.secadministrator.com/sub.cfm?code=saei25xxup

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email