Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: InfoSec News (isn_at_c4i.org)
Date: Thu Oct 17 2002 - 01:47:56 CDT
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET Server, Windows 2000, and
Windows NT systems.
~~~~ THIS ISSUE SPONSORED BY ~~~~
UltraBac Offers the Most Backup & Restore Options
Real Time Monitoring Is a Security Requirement
(below IN FOCUS)
~~~~ SPONSOR: ULTRABAC OFFERS THE MOST BACKUP & RESTORE OPTIONS ~~~~
UltraBac Software announces UltraBac v7.0.2 with the ability to use
any FTP server or IBM's Tivoli Storage Manager (TSM) as storage
devices for backup and restore operations. The FTP Device allows
administrators to perform backup & restore operations to any FTP
server connected to the Internet by simply entering the server's
address as the backup path. By including FTP and TSM devices as backup
paths, UltraBac now sets a new industry standard by offering more
backup and restore options than any other application. Backup options
include writing data to any type of local or remote media, including
disk, tape, CD-RW and optical. Download a free live trial
October 16, 2002--In this issue:
1. IN FOCUS
- Microsoft .NET Passport Must Set Security Bar Higher
2. SECURITY RISKS
- DoS in Oracle 9i Application Server for Windows
- Multiple Vulnerabilities in Microsoft Services for UNIX 3.0
- BearShare File-Sharing Directory Traversal Vulnerability
- Multiple Vulnerabilities in Microsoft SQL Server, MSDE 2000,
and MSDE 1.0
- The Exchange Solutions You've Been Searching For!
- Planning on Getting Certified? Make Sure to Pick Up Our New
4. SECURITY ROUNDUP
- News: RSA Security and iRevolution Give Passport Two-Factor
- Feature: Vendor-Specific Security Settings
- Feature: Palladium's Glacial Approach
5. HOT RELEASES (ADVERTISEMENTS)
- Spectracom's Netclock, for Secure Network Time
- Protect Your Infrastructure
6. INSTANT POLL
- Results of Previous Poll: Using Snort
- New Instant Poll: Microsoft .NET Passport
7. SECURITY TOOLKIT
- Virus Center
- FAQ: How Can I Configure the Grace Period That Windows Uses for
Password-Protected Screen Savers?
8. NEW AND IMPROVED
- Integrated Security Solution for USB Keys and SSL Acceleration
- Tips for Troubleshooting and Preventing Internet-Based Computer
- Submit Top Product Ideas
9. HOT THREADS
- Windows & .NET Magazine Online Forums
- Featured Thread: Port Mappings
10. CONTACT US
See this section for a list of ways to contact us.
1. ==== IN FOCUS ====
(contributed by Mark Joseph Edwards, News Editor,
* MICROSOFT .NET PASSPORT MUST SET SECURITY BAR HIGHER
Although in the past Microsoft lambasted open-source projects as
inherently insecure, the company has chosen to embrace the idea of
open source by using the Kerberos protocol--again. According to
vnunet.com (see the URL below), Microsoft will marry its technology
with Kerberos technology to make its next generation of .NET Passport
more secure and somewhat open-source.
The last time Microsoft began to use Kerberos technology, in
conjunction Windows 2000, critics screamed because Microsoft had
apparently inserted undocumented modifications into the technology.
Twisting open-source code into proprietary technology through
undocumented changes is a definite no-no. Now, however, Microsoft is
turning to Kerberos to improve .NET Passport security in response to
the Federal Trade Commission (FTC) scrutiny that resulted in specific
Microsoft described its .NET Passport, launched in 1999, as "a suite
of Web-based services that makes using the Internet and purchasing
online easier and faster. .NET Passport provides users with single
sign-in (SSI) and fast purchasing capability at a growing number of
participating sites, reducing the amount of information users must
remember or retype." Many popular shopping sites, including eBay
(which recently acquired PayPal), offer .NET Passport as a means to
conduct business through their portals.
Because SSI is the core feature of .NET Passport, Kerberos is an
obvious choice to use as part of the core methodology of
authentication. To learn more about Microsoft's Kerberos
implementation, read Jan De Clerq's article "Win.NET Server Kerberos"
on our Web site (see the URL below). De Clerq discusses the new
Kerberos delegation features that Microsoft has embedded in Windows
.NET Server (Win.NET Server) 2003.
According to the FTC, Microsoft made false claims about .NET
Passport's security and privacy. Microsoft recently came to an
agreement with the commission (see the URL below) by which the company
will work to mend the problems. Under the agreement, Microsoft will
change the way the company communicates with consumers about the
security and privacy of the .NET Passport service and change the way
Kids Passport works to some extent, as you'll see below.
As Microsoft Senior Vice President and General Counsel Brad Smith
noted, "The FTC's complaint asserts that we should have taken
additional security steps earlier in the operation of the Passport
service." Smith went on to say: "Even though we know of no instance
where a Passport user's information has ever been compromised, in
hindsight we wish we had held ourselves to an even higher bar."
The FTC's complaints were certainly justified, however. You might
recall that in November 2001, I wrote about one researcher who
required just 30 minutes to discover that when Hotmail and .NET
Passport were combined, an intruder could quickly empty a user's
"wallet." On Microsoft's behalf, Smith acknowledged .NET Passport's
shortcomings and promised change: "Consistent with our heightened
security obligations, we accept responsibility for the past and will
focus on living up to this high level of responsibility in the
Toward that goal, according to Microsoft Corporate Vice President
Brian Arbogast, the company will "document the comprehensive
information security program that protects the security,
confidentiality, and integrity of the personal information collected
from our customers. We will also ensure that a third-party
professional firm reviews, advises us, and ultimately certifies that
our information-security program is designed and operates with
sufficient effectiveness to provide reasonable assurances that the
security, confidentiality, and integrity of every Passport user's
information is protected. We will also ensure that all of the
statements we make about the service are accurate and clear. Finally,
we will strengthen training for all the managers involved with
Passport, to ensure that they understand and comply fully with this
The FTC also raised concerns about Kids Passport, particularly noting
that children could bypass the controls their parents placed on the
technology. Microsoft said that it has taken steps to remedy that
situation by making Kids Passport more "kid-proof."
The new agreement with the FTC will be in force for 20 years. To read
more about Microsoft's perspective on the agreement, visit the Web
site at the URL below. In related news, Microsoft has licensed
security technology from RSA Security that will strengthen the
authentication mechanisms .NET Passport uses. Be sure to read about
that licensing agreement in the related news item in this newsletter.
~~~~ SPONSOR: REAL TIME MONITORING IS A SECURITY REQUIREMENT ~~~~
A proactive IT Manager installed ELM Enterprise Manager 3.0 on his
critical servers to assess the benefits of real time monitoring. A
week later, EEM 3.0 paged him as a disgruntled employee was attempting
to access confidential personal files. Within minutes, the hacker was
escorted off company property. Use ELM Enterprise Manager 3.0 to
monitor the health and status of your systems, protect your
intellectual property, and prevent avoidable downtime. Download your
FREE 30-day evaluation copy at:
2. ==== SECURITY RISKS ====
(contributed by Ken Pfeil, kenwinnetmag.com)
* DoS IN ORACLE 9I APPLICATION SERVER FOR WINDOWS
stake discovered a Denial of Service (DoS) condition in Oracle 9i
Application Server's Web Cache Manager Tool. An attacker who sends a
specially formatted HTTP GET request to the port on which the Web
Cache Administration process is listening can crash the administration
process. The vendor, Oracle, has released Oracle Security Alert #43 to
address this vulnerability but hasn't released a patch. The company
will include a fix for this vulnerability in Oracle 9i Application
* MULTIPLE VULNERABILITIES IN MICROSOFT SERVICES FOR UNIX 3.0
Three new vulnerabilities exist in the Windows Help Facility, one
of which could let an attacker execute arbitrary code on the
vulnerable system. These new vulnerabilities consist of an integer
overflow in the XML Data Reduced (XDR) library, a buffer overrun in
remote procedure calls (RPCs), and an RPC implementation error. The
vendor, Microsoft, has released Security Bulletin MS02-057 (Flaw in
Services for Unix 3.0 Interix SDK Could Allow Code Execution) to
address these vulnerabilities and recommends that affected users
immediately apply the patch mentioned in the bulletin.
* BEARSHARE FILE-SHARING DIRECTORY TRAVERSAL VULNERABILITY
A directory traversal vulnerability exists in the file-sharing
program BearShare. This vulnerability stems from a flaw in the
personal Web server portion of BearShare that could let an attacker
view any file on the vulnerable system by issuing a specially crafted
HTTP request. The vendor, Free Peers, has released version 4.0.6 to
address the traversal issue described above, but the software is still
vulnerable if an attacker uses certain HTTP requests, which the
article lists. Free Peers hasn't yet addressed this second variant of
the same problem.
* MULTIPLE VULNERABILITIES IN MICROSOFT SQL SERVER, MSDE 2000, AND
Three new vulnerabilities exist in Microsoft SQL Server, Microsoft
SQL Server Desktop Engine (MSDE) 2000, and Microsoft Data Engine
(MSDE) 1.0, the most serious of which could let an attacker execute
arbitrary code on the vulnerable system. The vulnerabilities are a
buffer overrun in a section of code in SQL Server 2000 and MSDE 2000
associated with user authentication, a buffer-overrun vulnerability
that occurs in one of the Database Console Commands shipped as part of
SQL Server 2000 and SQL Server 7.0, and a vulnerability associated
with SQL Server 2000 and SQL Server 7.0 scheduled jobs. The vendor,
Microsoft, has released Security Bulletin MS02-056 (Cumulative Patch
for SQL Server) to address these vulnerabilities and recommends that
affected users immediately apply the appropriate patch mentioned in
3. ==== ANNOUNCEMENTS ====
(brought to you by Windows & .NET Magazine and its partners)
* THE EXCHANGE SOLUTIONS YOU'VE BEEN SEARCHING FOR!
Our popular IT Buyers' Directories (ITBDs) are online catalogs of
the hottest vendor solutions around. Our latest ITBD highlights the
solutions and services that will help you protect, migrate, and
administer your Exchange server. Download your copy today at
* PLANNING ON GETTING CERTIFIED? MAKE SURE TO PICK UP OUR NEW EBOOK!
"The Insider's Guide to IT Certification" eBook is hot off the
presses and contains everything you need to know to help you save time
and money while preparing for certification exams from Microsoft,
Cisco Systems, and CompTIA and have a successful career in IT. Get
your copy of the Insider's Guide today!
4. ==== SECURITY ROUNDUP ====
* NEWS: RSA SECURITY AND iREVOLUTION GIVE PASSPORT TWO-FACTOR
RSA Security and iRevolution announced a strategic relationship to
provide two-factor authentication to Microsoft Passport. The two
companies will create a solution designed to provide Passport users
single sign-on (SSO) capabilities using RSA Mobile software.
* FEATURE: VENDOR-SPECIFIC SECURITY SETTINGS
Ed Roth tells you how to configure Wired Equivalent Privacy (WEP)
encryption settings for a variety of different wireless network gear,
including SMC Networks, Linksys, D-Link Systems, NETGEAR, Siemens, and
* FEATURE: PALLADIUM'S GLACIAL APPROACH
Palladium is based on the theory that software alone can't
adequately protect users and data in our connected world. According to
Microsoft, Palladium will do almost everything but balance your
checkbook: It will stop viruses, worms, and spam; it will understand
who you are and prevent malicious users from accessing information you
intend to send to certain individuals; it will safeguard your privacy.
Read Paul Thurrott's editorial about Palladium at the URL below.
5. ==== HOT RELEASES (ADVERTISEMENTS)====
* SPECTRACOM'S NETCLOCK, FOR SECURE NETWORK TIME
Does your network depend on a Time Source that's outside your
Firewall? Doesn't your network need an accurate clock source?
Spectracom's NetClock/NTP (Network Time Provider) or NetClock/TM (Time
Machine) can help you. See how at:
* PROTECT YOUR INFRASTRUCTURE
How do you make sure only the right people access your vital
systems? IBM can help build trust into your e-business relationships.
Get the IBM white paper, "Linking Security Needs to e-business
Evolution" at http://www.ibm.com/e-business/playtowin/n296
6. ==== INSTANT POLL ====
* RESULTS OF PREVIOUS POLL: USING SNORT
The voting has closed in Windows & .NET Magazine's Security
Administrator Channel nonscientific Instant Poll for the question, "Do
you use Snort to implement an Intrusion Detection System (IDS) on your
network?" Here are the results (+/- 2 percent) from the 1220 votes:
- 91% Yes
- 9% No
* NEW INSTANT POLL: MICROSOFT .NET PASSPORT
The next Instant Poll question is, "Do you currently use Microsoft
.NET Passport?" Go to the Security Administrator Channel home page and
submit your vote for a) Yes, or b) No.
7. ==== SECURITY TOOLKIT ====
* VIRUS CENTER
Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
* FAQ: HOW CAN I CONFIGURE THE GRACE PERIOD THAT WINDOWS USES FOR
PASSWORD-PROTECTED SCREEN SAVERS?
( contributed by John Savill, http://www.windows2000faq.com )
A. By default, when you activate a password-protected screen saver,
Windows provides a brief grace period during which keyboard and mouse
activity will stop the screen saver and let you access the system
without having to enter the password. To modify this grace period,
perform the following steps:
1. Start a registry editor (e.g., regedit.exe).
2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon registry subkey.
3. From the Edit menu, select New, DWORD Value.
4. Enter a name of ScreenSaverGracePeriod, then press Enter.
5. Double-click the new value, set the "Value data" to the number
of seconds (from 0 to 2,147,483) that you want to use for the grace
period, set the Base type to decimal, then click OK.
6. Restart the machine for the change to take effect.
8. ==== NEW AND IMPROVED ====
(contributed by Judy Drennen, productswinnetmag.com)
* INTEGRATED SECURITY SOLUTIONS FOR USB KEYS AND SSL ACCELERATION
Rainbow Technologies eSecurity and i-Security Solutions Limited
(i-SSL) announced a partnership to integrate Rainbows's iKey and
CryptoSwift products with i-SSL's i-Secur products. The partnership
will provide one-stop, seamlessly integrated security services and
solutions to customers in the Asian Pacific IT security market. "Our
partnership with Rainbow further enhances our ability to create,
deliver and support world-class security solutions tailored to the
specific needs of Asian and international customers," said Frederick
Chang, CEO of i-SSL. "Rainbow's security solutions complement our
i-Secur suite of products to provide user-friendly e-applications
embedded with strong security measures." Contact Rainbow at
949-450-7377 or go to the Web sites listed below.
* TIPS FOR TROUBLESHOOTING AND PREVENTING INTERNET-BASED COMPUTER
Sybex released "Absolute PC Security and Privacy" by Michael
Miller, a solutions-oriented book that shows users how to detect and
seal security holes, how to reduce the chance of attack, and how to
recognize when an attack is underway and stop it in progress. The book
contains solutions for addressing the most common Internet-based
intrusions including viruses, privacy theft, and email spam. Written
for average computer users, Miller's book offers easy-to-follow
instructions and practical advice. The book (ISBN 0-7821-4127) costs
$34.99. Contact Sybex at its Web site for more information.
* SUBMIT TOP PRODUCT IDEAS
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshotwinnetmag.com.
9. ==== HOT THREADS ====
* WINDOWS & .NET MAGAZINE ONLINE FORUMS
Featured Thread: Port Mappings
(Five messages in this thread)
A reader wants to know about any articles or Web sites that offer a
list of ports and maps those ports to malicious applications such as
Trojan horses or known intruder tools. Such Web pages do exist, as the
10. ==== CONTACT US ====
Here's how to reach us with your comments and questions:
* ABOUT IN FOCUS -- markntsecurity.net
* ABOUT THE NEWSLETTER IN GENERAL -- letterswinnetmag.com (please
mention the newsletter name in the subject line)
* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
* PRODUCT NEWS -- productswinnetmag.com
* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdatewinnetmag.com
* WANT TO SPONSOR SECURITY UPDATE? emedia_oppswinnetmag.com
This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
Thank you for reading Security UPDATE.
Copyright 2002, Penton Media, Inc.
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.