Subject: Security UPDATE, May 14, 2003

********************

Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows Server 2003, Windows 2000, and Windows NT systems. http://www.secadministrator.com

********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Sygate http://www.sygate.connectthe.com/wnmsu

Research In Motion http://www.blackberry.com/select/server_wp/index.shtml?CPID=AF22037 (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: SYGATE ~~~~ STOP INSTANT MESSAGING, MP3s AND MORE FREE GUIDE: Learn how "endpoint security" technology helps you put an end to unwanted instant messaging, eliminate MP3s and other unauthorized downloads, enforce anti-virus, firewalls, patches, and other software updates, and improve the effectiveness of your existing security infrastructure. Get a free guide from the enterprise security experts at Sygate and discover how to enforce security policy across the entire network. For your free copy, including white papers, product reviews, case studies, audio interviews, and more, click here: http://www.sygate.connectthe.com/wnmsu ~~~~~~~~~~~~~~~~~~~~

May 14, 2003--In this issue:

1. IN FOCUS - Email Onslaught: Canning Spam

2. SECURITY RISKS - DoS in MDG Web Server 4D Version 3.6.0 - Multiple Vulnerabilities in Mirabilis ICQ Pro 2003a Client - Buffer-Overrun Vulnerability in Floosietek FTGatePro Mail Server 1.22

3. ANNOUNCEMENTS - Get the eBook That Will Help You Get Certified! - Cast Your Vote in Our Annual Readers' Choice Awards!

4. SECURITY ROUNDUP - News: Problems with Microsoft Security Patch and IIS Transactions - News: Microsoft Updates Security Patch for Windows TSE - Feature: Will a Fatal Bug Kill NT?

5. HOT RELEASE (ADVERTISEMENT) - Hewlett-Packard 6. INSTANT POLL - Results of Previous Poll: Cyber-Insurance - New Instant Poll: Managing Junk Mail

7. SECURITY TOOLKIT - Virus Center - FAQ: How Can I Add or Remove the IE Enhanced Security Configuration in Windows 2003?

8. NEW AND IMPROVED - Install All-in-One Security Suite - Scan for Viruses at Lightning Speed

9. HOT THREAD - Windows & .NET Magazine Online Forums - Featured Thread: Auditing Software for Win2K

10. CONTACT US See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1.

IN FOCUS

(contributed by Mark Joseph Edwards, News Editor, mark@ntsecurity.net)

* EMAIL ONSLAUGHT: CANNING SPAM

Is everybody tired of junk email yet? Everyone but the spammers, I think. Lately, people have dedicated much energy to ending unsolicited commercial email (UCE). Some, though not all, of the traffic deserves to be stopped. For example, you might want to receive unsolicited ads from your favorite vendors. However, you might not want another unsolicited ad for a cheap cable TV descrambler or another guaranteed-get-rich-quick scheme.

At least one ISP has lashed back at a devious and corrupt spammer. EarthLink won a judgment against a spammer to the tune of $16.4 million dollars. The perpetrator, Howard Carmack, of Buffalo, New York ("the Buffalo Spammer"), lied, cheated, and stole to get his spam out the door. EarthLink said Carmack has sent over 825 million junk emails since March 2002.

To cover his tracks, he and his associates stole credit cards, used them to establish bogus Internet access accounts, performed bank fraud, and presumably raked in loads of money in the process. According to EarthLink, he favored sending out advertisements for computer virus scripts, "work at home" and get-rich-quick schemes, bulk email software and lists other spammers could use, and cable TV descramblers. EarthLink is getting adept at chasing down spammers. In 1998, EarthLink won a $2-million-dollar judgment against Sanford Wallace of Cyber Promotions and last year, a $25-million-dollar judgment against KC Smith, whose operation purportedly generated more than a billion pieces of junk mail.

But we need an easier way than litigation to stop spam. The Federal Trade Commission (FTC) recently held a 3-day forum (see the first URL below), April 30 through May 2, to discuss the proliferation of UCE. The forum explored the technical, legal, and financial concerns associated with such email. I don't have follow-up information about the forum, but the FTC Web site has a page that offers tips about preventing spam and reporting fraudulent advertisements (see the second URL below). http://www.ftc.gov/opa/2003/02/spamforum.htm http://www.ftc.gov/bcp/conline/pubs/online/inbox.htm

One highlight of the forum was a proposal for a new standard, the Trusted Email Open Standard (TEOS), designed to augment current SMTP email technology to help prevent unwanted email from reaching users' Inboxes. Various organizations, including the ePrivacy Group, developed the TEOS draft proposal and published it in a white paper. http://2cobbs.com/spam/teos.html

Stephen Cobb, who worked on the proposal, outlined 10 basic points that serve as a road map for understanding TEOS. Cobb said that the nature of STMP-based email makes spam possible because it lets senders lie about who they are to lure users into reading the email.

The TEOS approach tries to address matters of technology and human behavior--while taking into consideration the legitimate ways people use email. Any solution to spam should try to avoid requiring that people replace the widely used SMTP-based mail servers and instead enhance existing technologies. TEOS proposes that such enhancements include a way for email senders to more reliably identify themselves. Enhancements can let senders make assertions about messages (included in SMTP message headers) so that mail servers know how to process email. For example, a magazine could assert that the message contains a user's copy of a newsletter.

TEOS also proposes including a "trust stamp" in messages. Trust stamps would be encrypted and unique to an individual message. Mail servers and users could use the stamps to verify whether a message sender is a member in good standing of a "responsible email" organization. An international oversight board would certify organizations.

Obviously, TEOS will work only if the proposal is widely accepted. If it were adopted, TEOS would stop dishonest people from sending spam because if senders lied about who they were and what their messages contained, those messages wouldn't be delivered. It's a good plan that makes sense.

Other solutions to junk mail add on to existing mail platforms. For example, whitelist and blacklist solutions automate the process of building lists of verified and unacceptable email senders. Mail-filtering packages help trim the amount of received junk mail at the gateway, and add-ons for mail clients trim junk at the desktop by using virtual networks of people to identify and tag spam as it travels the Internet.

One irony about this push to stamp out junk mail is that we still often overlook paper-based junk mail. People everywhere still receive reams of unsolicited paper mail. By now, each of us has probably received enough pizza coupons in the mail to wallpaper an entire college dormitory. Countless others and I toss those ads straight into the trash along with reams of other unwanted paper junk mail. Should the fact that we haven't solved the paper junk-mail problem serve as a warning about the difficulties to be encountered in ending spam? Naah. Cyberspace is different.

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: RESEARCH IN MOTION ~~~~ NEW BLACKBERRY SECURITY WHITE PAPER Prevent wireless handhelds from compromising your enterprise security! Download the BlackBerry Security White Paper for Microsoft Exchange and learn how the BlackBerry security architecture addresses data encryption, corporate firewalls, lost devices, and other critical security concerns. http://www.blackberry.com/select/server_wp/index.shtml?CPID=AF22037 ~~~~~~~~~~~~~~~~~~~~

2.

SECURITY RISKS

(contributed by Ken Pfeil, ken@winnetmag.com)

* DoS IN MDG WEB SERVER 4D VERSION 3.6.0 Tom Ferris discovered a Denial of Service (DoS) vulnerability in MDG Computer Services' MDG Web Server 4D 3.6.0 that can result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from a buffer-overflow condition. By issuing a GET / request with 4096 caret brackets, a malicious user can cause the Web server to crash with a runtime error. MDG has not yet responded to this problem. http://www.secadministrator.com/articles/index.cfm?articleid=38978

* MULTIPLE VULNERABILITIES IN MIRABILIS ICQ PRO 2003A CLIENT Core Security Technologies discovered six new vulnerabilities in Mirabilis' ICQ Pro 2003a and earlier clients, the most serious of which can result in the execution of arbitrary commands on the vulnerable computer. These vulnerabilities range in severity from Denial of Service (DoS) to remotely exploitable buffer overflows. For a detailed analysis of each of these vulnerabilities, go to the discoverer's Web site. The vendor has not yet responded to these vulnerabilities. http://www.secadministrator.com/articles/index.cfm?articleid=38976

* BUFFER-OVERRUN VULNERABILITY IN FLOOSIETEK FTGATEPRO MAIL SERVER 1.22 Dennis Rand discovered a vulnerability in FTGatePro Mail Server 1.22 (build 1328) that can result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from a buffer-overflow condition. If an attacker sends a large amount of code into the MAIL FROM and the RCPT TO fields, the buffer will overflow. Using carefully crafted code, the attacker can use system privileges to execute arbitrary commands. Floosietek has released build 1330, which isn't vulnerable to this condition. http://www.secadministrator.com/articles/index.cfm?articleid=38977

3.

ANNOUNCEMENTS

(brought to you by Windows & .NET Magazine and its partners)

* GET THE eBOOK THAT WILL HELP YOU GET CERTIFIED! The "Insider's Guide to IT Certification," from the Windows & .NET Magazine Network, has one goal: to help you save time and money on your quest for certification. Find out how to choose the best study guides, save hundreds of dollars, and be successful as an IT professional. The amount of time you spend reading this book will be more than made up by the time you save preparing for your certification exams. Order your copy today! http://winnet.bookaisle.com/ebookcover.asp?ebookid=13475

* CAST YOUR VOTE IN OUR ANNUAL READERS' CHOICE AWARDS! Which companies and products are the best on the market? Tell us by nominating your favorites in the annual Windows & .NET Magazine Readers' Choice Awards survey. Click here! http://www.winnetmag.com/readerschoice

4.

SECURITY ROUNDUP

* NEWS: PROBLEMS WITH MICROSOFT SECURITY PATCH AND IIS TRANSACTIONS Windows XP, Windows 2000, and Windows NT newsgroup users have been discussing security patch problems. The discussions center around problems with the Microsoft patch that Security Bulletin MS03-010 (Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks) describes. Russ Cooper posted a message to the NTBugTraq mailing list summarizing the newsgroup discussion. Apparently, people who use Microsoft IIS with COM+ have experienced Active Server Pages (ASP) transaction processing problems after installing the patch. According to Cooper, the problems are varied and disappear when users remove the patch from affected systems or apply a private patch available from Microsoft Product Support Services (PSS). http://www.secadministrator.com/articles/index.cfm?articleid=38975

* NEWS: MICROSOFT UPDATES SECURITY PATCH FOR WINDOWS TSE In December 2002, Microsoft released a patch for Windows NT Server 4.0, Terminal Server Edition (WTS) to correct problems with certain message-handling functions. A problem in WTS let intruders elevate privileges on a system. However, the patch installation routine that installed the patch on Japanese versions of NT multiprocessor systems contained a bug. The installation routine didn't copy the correct binary files onto the system, and as a result, WTS would fail. The installation error didn't affect users who installed the patch on Windows XP and Windows 2000. http://www.secadministrator.com/articles/index.cfm?articleid=38901

* FEATURE: WILL A FATAL BUG KILL NT? Not too long ago, Microsoft released Security Bulletin MS03-010 (Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks). Mark Minasi wonders whether this flaw might lead not just to Denial of Service (DoS) attacks but also to a "denial of existence" ultimatum for Windows NT 4.0. Be sure to read the article to find out why. http://www.secadministrator.com/articles/index.cfm?articleid=38823&pg=1&show=937

5.

HOT RELEASE (ADVERTISEMENT)

* HEWLETT-PACKARD HP OpenView for Windows Test Drive Monitor the availability and performance of your corporate website -- FREE for 30 days, using powerful HP OpenView management software for Windows. Simulate activity. Monitor complex transactions. Meet business demands. Manage web services. Click here. http://www.winnetmag.com/hptestdrive/

6.

INSTANT POLL

* RESULTS OF PREVIOUS POLL: CYBER-INSURANCE The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Does your company have cyber-insurance?" Here are the results from the 85 votes. (Deviations from 100 percent are due to rounding.) - 6% Yes--We have it - 4% No--But we plan to obtain it - 25% No--We won't get it until it's required by law - 66% No * NEW INSTANT POLL: MANAGING JUNK MAIL The next Instant Poll question is, "Does your company use junk-mail filtering technologies?" Go to the Security Administrator Channel home page and submit your vote for a) Yes--Whitelists, b) Yes--Blacklists, c) Yes--Mail filters, d) Yes--Two or more of the above, or e) No. http://www.secadministrator.com

7.

SECURITY TOOLKIT

* VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda

* FAQ: How Can I Add or Remove the IE Enhanced Security Configuration in Windows 2003? ( contributed by John Savill, http://www.windows2000faq.com )

A. Windows Server 2003 introduces the Microsoft Internet Explorer (IE) Enhanced Security Configuration and enables this configuration by default for all users and groups. This locked-down configuration protects your computer from exposure on the Web by initially blocking connections to most Web sites, although you can add any Web sites that you regularly visit as part of a trusted zone. By default, the IE Enhanced Security Configuration considers the Windows Update and Error Reporting Web sites, and not much else, to be trusted sites.

To add or remove the Windows 2003 IE Enhanced Security Configuration feature, perform the following steps: 1. Start the Control Panel Add/Remove Programs applet. 2. Click Add/Remove Windows Components in the left pane of the dialog box. 3. Scroll down to Internet Explorer Enhanced Security Configuration and select the check box to activate the locked-down configuration or clear the check box to deactivate the locked-down configuration. 4. If you're enabling the locked-down configuration, click Details to select the users to whom (e.g., administrator groups, all other user groups) you want the policy to apply. 5. Click Next, then follow the onscreen instructions to finish configuring the settings.

8.

NEW AND IMPROVED

(contributed by Sue Cooper, products@winnetmag.com)

* INSTALL ALL-IN-ONE SECURITY SUITE NetWolves Technologies released the NetWolves Security Suite, a combination hardware/software solution to maintain your network's security. The WolfPac Security Platforms are hardware devices available in two configurations--both with 3 Ethernet 10/100 interface cards and housed in tamper-resistant, rack-mountable, 2U (3.5") steel cases. Software included in the suite provides an Internet Computer Security Association (ICSA)-certified firewall, an IP Security (IPSec) and Inter Key Exchange (IKE)-compliant VPN, connectivity failover, hardware failover, dynamic VPN routing, intrusion detection, content filtering, antivirus, Net Metrics to measure performance parameters, a split proxy, a mail server/gateway, an Apache Web server, and file sharing. Software also provides logging, reporting, and archiving features in a browser-based management interface. Managed security services include monitoring and notification, management and configuration, and security policy management. Contact NetWolves Technologies at 813-286-8644 or sales@netwolves.com. http://www.netwolves.com

* SCAN FOR VIRUSES AT LIGHTNING SPEED Eset Software announced NOD32 2.0, virus detection software that uses advanced heuristic technology and professes to scan at twice the speed of the next-best product on the market. Improvements include a fully integrated planner/scheduler, an improved email filter, a quarantine feature, better on-demand scanning, central log management, and an installation program written in XML. NOD32 2.0 supports Windows XP/2000/NT/Me/9.x, MS-DOS, UNIX, Novell, Lotus Domino Server, Microsoft Exchange Server, and Kerio MailServer. Prices start at $39 for a 1-user license or $170 for a 5-user license. Contact Eset Software at 619-437-7037 or sales@nod32.com. http://www.nod32.com

* SUBMIT TOP PRODUCT IDEAS Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshot@winnetmag.com.

9.

HOT THREAD

* WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.com/forums

Featured Thread: Auditing Software for Win2K (Two messages in this thread)

A user writes that he wants to monitor his users' logon and logoff activity. He runs a small Windows 2000 domain and all of his users run Windows XP. He's familiar with the capabilities that let the domain controller (DC) generate audits in the Event Viewer under the Security log. He's looking for an interface that will let him see when users log on and log off and generate an easy-to-understand report for the company's owner. Currently, he must look at each event in Event Viewer to determine who's responsible for that event. He wonders whether Win2K has a feature that can accomplish the task, but he would also appreciate recommendations for any third-party software tool that would work well. Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=58457

10.

CONTACT US

Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark@ntsecurity.net

* ABOUT THE NEWSLETTER IN GENERAL -- letters@winnetmag.com (please mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products@winnetmag.com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdate@winnetmag.com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps@winnetmag.com

******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup

Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.

Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.