Security UPDATE, October 24, 2001

[InfoSec News <isn () c4i org>]

********************
Windows 2000 Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows 2000 and NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Aelita Secures Windows 2000 & Active Directory
   http://lists.win2000mag.net/cgi-bin3/flo?y=eIRo0CJgSH0BVg0gr40AG 

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: AELITA SECURES WINDOWS 2000 & ACTIVE DIRECTORY ~~~~
   Aelita EventAdmin closes the gap in security management. Combining 
sophisticated data collection with powerful analysis, reporting and 
archiving technologies, EventAdmin delivers a new level of security and 
visibility into your Windows NT- and Windows 2000-centric environments 
that include Microsoft .NET Enterprise Servers, Novell NDS and UNIX 
systems. Focusing on current and historical data, EventAdmin extends 
real-time monitoring tools and allows IT professionals to track and 
analyze user activity patterns, implement and enforce enterprise audit 
and security policies, increase network visibility, investigate 
problems and prevent disasters. Get your FREE evaluation copy today!
   http://lists.win2000mag.net/cgi-bin3/flo?y=eIRo0CJgSH0BVg0gr40AG 

********************

October 24, 2001--In this issue:

1. IN FOCUS
     - Information Anarchy: The Blame Game?

2. SECURITY RISKS
     - Denial of Service in Windows Terminal Services
     - Arbitrary File Disclosure Vulnerability in Novell GroupWise
     - Denial of Service in Citrix Metaframe

3. ANNOUNCEMENTS
     - What's the Right Way to Tackle Home Networking?
     - Are You Getting Everything You Need from WebSphere?

4. INSTANT POLL
     - Results of Previous Poll: Drop Microsoft IIS?
     - Instant Poll: Full Disclosure

5. SECURITY ROUNDUP
     - News: Microsoft Introduces Security Bulletin Severity Rating 
       System
     - News: Hacker Breaks DRM; Microsoft Considers Legal Action
     - Buyer's Guide: Job Scheduling Software

6. HOT RELEASE (ADVERTISEMENT)
     - VeriSign - The Internet Trust Company

7. SECURITY TOOLKIT
     - Book Highlight: Hacking Exposed: Network Security Secrets and 
       Solutions
     - Virus Center
     - FAQ: Why Do I Receive an Error Message in Win2K That Says My 
       Password Must Be at Least 18,770 Characters?

8. NEW AND IMPROVED
     - Protect Data from Attacks
     - Replace Passwords with Biometric Technology

9. HOT THREADS
     - Windows 2000 Magazine Online Forums
         - Featured Thread: Thread: Win2K Server and Me Policies
     - HowTo Mailing List 
         - Featured Thread: Permissions Affected After NTFS File 
           Conversion

10. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== COMMENTARY ====

Hello everyone,

Full disclosure of security risk information is still under fire--this 
time driven by the recent outbreak of malicious worms such as Code Red 
and Nimda. Last week, Microsoft published an essay (URL below) written 
by Scott Culp, manager of the Microsoft Security Response Center. In 
the essay, Culp refers to full disclosure as "information anarchy" and 
says that Microsoft is working with other industry leaders to form a 
consensus protesting such information release. The company will ask its 
customers to support the adoption of the resulting consensus. 
   http://www.microsoft.com/technet/columns/security/noarch.asp

The central concern with full disclosure is that people often take 
vulnerability demonstration code--sometimes released in fully 
functional form--and use the code to create a weapon against 
unsuspecting users. "But regardless of whether the [security 
vulnerability] remediation takes the form of a patch or a workaround," 
Culp wrote, "an administrator doesn't need to know how a vulnerability 
works in order to understand how to protect against it, any more than a 
person needs to know how to cause a headache in order to take an 
aspirin." Although he's right to a certain extent, we need to consider 
a larger perspective.

Worms such as Code Red and Nimda definitely played upon well-known bugs 
for which patches had long since been available. Those worms showed us 
how many administrators don't consider security to be a priority in 
operating their systems. Granted, the worm writers seem malicious in 
releasing such nuisances, but is there a silver lining to those dark 
clouds? I think so. As a result of regularly demonstrated 
administrative complacency, Microsoft has adopted significant new 
policies and practices. The company has expanded its customer support 
efforts and is committed to providing even more robust security in its 
products and more robust tools to help automate and manage security. 
For example, because of these worms, Microsoft is now giving in a bit 
to the habits and needs of its customers instead of the somewhat 
idealistic visions of its software architects.  So who benefits in the 
overall scenario? Everyone does. Culp wrote, "Customers who are 
considering hiring security consultants can ask them what their 
policies are regarding information anarchy, and make an informed buying 
decision based on the answer. And security professionals only need to 
exercise some self-restraint."

In reality, Microsoft doesn't benefit by condemning the sharing of 
detailed vulnerability information. Instead, the company should be 
scolding the misguided focus and relative complacency of its customers' 
administrative efforts. It seems that Microsoft is doing that now 
indirectly with its new Strategic Technology Protection Program (STPP-
URL below). The effects should benefit information security in general, 
but getting a new program fully operational takes time. Perhaps any new 
consensus is going a bit too far too soon. In any event, a new 
consensus will benefit Microsoft by buying the company some time to get 
STPP into full swing. So again, who benefits from any new consensus in 
the long run? As Culp pointed out, "Even in the best of conditions, it 
will still be possible to write worms." So a new consensus won't 
eliminate the core problems of administrative latency and faulty code. 
   http://www.secadministrator.com/articles/index.cfm?articleid=22751

The full-disclosure problem comes down to timing on three fronts: 
Researchers publish explicit details in many cases without enough 
consideration for the time required for companies to develop a patch 
and coax customers into loading the patch; users wait too long to apply 
patches, if they apply them at all; and Microsoft product cycles are 
probably still far too quick to market for effective code development. 

What do you think about full disclosure? Is it a detriment or a benefit 
to the user community, or does it seem to balance out fairly equally in 
the bigger picture? Stop by our home page and take the Instant Poll. 
We're eager to learn your perspective. And if you want to express 
detailed comments regarding any new consensus, you can post them in 
response to this editorial--you'll find a copy posted on our home page. 
Until next time, have a great week.
   http://www.secadministrator.com

Sincerely,

Mark Joseph Edwards, News Editor, mark () ntsecurity net

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () win2000mag com)

* DENIAL OF SERVICE IN WINDOWS TERMINAL SERVICES
   Luciano Martins of Deloitte & Touche Argentina reported that a 
vulnerability exists in Microsoft Windows 2000 and Windows NT 4.0 RDP 
service that can result in a Denial of Service (DoS) attack. The attack 
can occur because of a problem in the service that doesn't properly 
handle a particular series of data packets. To cause the service to 
fail, an attacker doesn't have to connect to the service but only send 
this series of data packets to the port on which RDP is listening. 
   Microsoft released Security Bulletin MS01-052 to address this 
vulnerability. Win2K Datacenter patches are hardware-specific and will 
be available from the OEM when they're ready. Microsoft rates the 
severity of this vulnerability as low risk to Internet systems, 
moderate risk to intranet systems, and no risk to client systems.
   Microsoft has temporarily pulled the related patch offline due to 
numerous reports that the patch breaks system functionality in many 
cases. The company intends to make the patch available again shortly.
   http://www.secadministrator.com/articles/index.cfm?articleid=22981

* ARBITRARY FILE DISCLOSURE VULNERABILITY IN NOVELL GROUPWISE 
   Mike Shema of Foundstone reported that a vulnerability exists in 
Novell's GroupWise Server 6.0 and 5.5 for Windows 2000 that can let an 
attacker view files located anywhere on the server. The servlet 
"webacc" located in /servlet/ typically accesses templates located in 
webroot. However, if an attacker knows the filename and location and 
appends the file with a null character, the servlet also permits full 
directory-path traversal. Novell recommends that users obtain a fix 
available through regular support channels. 
   http://www.secadministrator.com/articles/index.cfm?articleid=22917 

* DENIAL OF SERVICE IN CITRIX METAFRAME 
   Justine Bone, Glyn Geoghegan, and Paul Davies, of Internet Security 
Systems, discovered that a vulnerability exists in the Citrix MetaFrame 
server application that lets an attacker crash the server, resulting in 
a Denial of Service (DoS). An improper handling of multiple sessions on 
the Citrix server causes this DoS condition. By spoofing the protocol 
that runs between the MetaFrame client and server, an attacker can 
start multiple fake sessions with the affected server. Citrix 
recommends that users install the appropriate hotfixes that the vendor 
will make available soon. 
   http://www.secadministrator.com/articles/index.cfm?articleid=22919

3. ==== ANNOUNCEMENTS ====

* WHAT'S THE RIGHT WAY TO TACKLE HOME NETWORKING?
   It starts with a subscription to Connected Home Magazine! Each issue 
(starting with our premiere issue in February 2002), will bring you the 
latest how-to advice to help you connect a home network, select home 
automation equipment, and much more! Our experts have seen it all, and 
are sharing what they know. Subscribe today!
   http://lists.win2000mag.net/cgi-bin3/flo?y=eIRo0CJgSH0BVg0gnK0AZ 

* ARE YOU GETTING EVERYTHING YOU NEED FROM WEBSPHERE?
   Check out WebSphere Professional magazine, for developers and system 
administrators WebSphereWire e-newsletter, with news and analysis; 
WebSpherePro System Admin Tips e-newsletter, with tips and techniques; 
and WebSpherePro Developer Tips e-newsletter, with technical tips. The 
e-newsletters are FREE--and so is the premiere issue of WebSphere 
Professional. Get them at the following URL.
   http://lists.win2000mag.net/cgi-bin3/flo?y=eIRo0CJgSH0BVg0gR20Ag 

4. ==== INSTANT POLL ====

* RESULTS OF PREVIOUS POLL: DROP MICROSOFT IIS?
   The voting has closed in Windows 2000 Magazine's Security 
Administrator Channel nonscientific Instant Poll for the question, 
"Does your company plan to do one of the following? a) Move to a yet-
to-be-determined platform, b) Move to Apache c) Move to iPlanet, d) 
Consider the recommendation, or e) Not change--you need Microsoft 
technology?" Here are the results (+/-2 percent) from the 601 votes:
   6% Move to a yet-to-be-determined platform
  26% Move to Apache
   2% Move to iPlanet
  12% Consider the recommendation
  53% Not change--you need Microsoft technology 

* INSTANT POLL: FULL DISCLOSURE
   Microsoft is working with other industry leaders to form a consensus 
protesting information release or "full disclosure." The company will 
ask its customers to support the adoption of the resulting consensus. 
The current Instant Poll question is, "What do you think about full 
disclosure?" a) It's an overall detriment to the user community as a 
whole, b) It's a benefit, or c) It seems to balance out fairly equally 
in the bigger picture? Go to the Security Administrator Channel home 
page and submit your vote.
   http://www.secadministrator.com 

5. ==== SECURITY ROUNDUP ====

* NEWS: MICROSOFT INTRODUCES SECURITY BULLETIN SEVERITY RATING SYSTEM
   Microsoft has instituted a severity rating system that it will apply 
to new security bulletins and related patches. The company designed the 
new system to help customers decide which patches they should apply for 
their network environments. 
   The new rating system is a matrix of three severity levels in 
conjunction with three system environments. The severity levels are 
Critical, Moderate, and Low, and the environments are Internet Servers, 
Internal Servers, and Client Systems.
   http://www.secadministrator.com/articles/index.cfm?articleid=22921

* NEWS: HACKER BREAKS DRM; MICROSOFT CONSIDERS LEGAL ACTION
   Microsoft might seek legal action against a hacker who at least 
partially compromised the company's Digital Rights Management (DRM) 
software, which helps prevent consumers from pirating music. In a self-
described "act of civil disobedience," an anonymous hacker published 
the hack, dubbed FreeMe, on the Internet this week. Breaking DRM 
software is illegal under the Digital Millennium Copyright Act (DMCA), 
a statute implemented in 1998. The Electronic Frontier Foundation 
(EFF), however, is challenging DMCA's legality in a New York court.
   http://www.secadministrator.com/articles/index.cfm?articleid=23000

* BUYER'S GUIDE: JOB SCHEDULING SOFTWARE
   The growing number of job-scheduling packages that work in Windows 
2000 and Windows NT environments signals the maturation of Windows in 
the enterprise and of Windows users themselves. With the variety of 
feature sets and price ranges in our job scheduling Buyer's Guide, 
you're sure to find something to meet your needs. 
   http://www.win2000mag.com/files/22552/22552.pdf

6. ==== HOT RELEASE (ADVERTISEMENT) ====

* VERISIGN - THE INTERNET TRUST COMPANY
   Secure your servers with 128-bit SSL encryption! Grab your copy of 
VeriSign's FREE Guide, "Securing Your Web site for Business," and learn 
about using SSL to encrypt e-commerce transactions. Get it now!
   http://lists.win2000mag.net/cgi-bin3/flo?y=eIRo0CJgSH0BVg0Lo50Al 

7. ==== SECURITY TOOLKIT ====

* BOOK HIGHLIGHT: HACKING EXPOSED: NETWORK SECURITY SECRETS AND 
SOLUTIONS
   By Stuart McClure, George Kurtz, Joel Scambray
   List Price: $49.99
   Fatbrain Online Price: $34.99
   Hardcover; 729 pages
   Published by McGraw-Hill Professional Book Group, September 2001
   ISBN 0072193816

For more information or to purchase this book, go to 
http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0072193816 
and enter WIN2000MAG as the discount code when you order the book.

* VIRUS CENTER
   Panda Software and the Windows 2000 Magazine Network have teamed to 
bring you the Center for Virus Control. Visit the site often to remain 
informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: WHY DO I RECEIVE AN ERROR MESSAGE IN WIN2K THAT SAYS MY PASSWORD 
MUST BE AT LEAST 18,770 CHARACTERS?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. This error occurs when you're running Windows 2000 Service Pack 1 
(SP1) and you connect to an MIT realm and select Change Password from 
the Security dialog box (Ctrl+Alt+Del). (An MIT realm is a Kerberos 
realm used for authentication in the same way that Win2K uses Kerberos 
5 for authentication.) The full error you'll receive is "Your password 
must be at least 18,770 characters and cannot repeat any of your 
previous 30,689 passwords. Please type a different password. Type a 
password that meets these requirements in both text boxes." 
   To correct this problem, contact Microsoft Product Support Services 
(PSS) and request an updated msgina.dll file (version 5.0.2195.3351 or 
later).

8. ==== NEW AND IMPROVED ====
   (contributed by Scott Firestone, IV, products () win2000mag com)

* PROTECT DATA FROM ATTACKS
   Gianus Technologies released Phantom Total Security, software that 
protects laptop or PC data by making the data invisible to intruders, 
unauthorized users, and viruses. The software splits the hard disk into 
two parts, and when you click an icon, the software makes one of the 
parts invisible. You can drag files and documents between the two parts 
of the hard disk. Phantom Total Security runs on Windows 2000, Windows 
NT, Windows Me, and Windows 9x systems. For pricing, contact Gianus 
Technologies at 212-838-7070.
   http://www.phantomts.com

* REPLACE PASSWORDS WITH BIOMETRIC TECHNOLOGY
   BioconX released BioconX 3.5, security software that applies 
biometrics to replace passwords. The software strengthens access 
control by centralizing all users' biometric templates and system 
authorization profiles. The software authenticates the users' identity 
by comparing their fingerprint or the iris of their eye against all 
stored templates. The software then lets users access all servers and 
applications for which they have authorization. For pricing, contact 
BioconX at 952-835-5321.
   http://www.bioconx.com

9. ==== HOT THREADS ====

* WINDOWS 2000 MAGAZINE ONLINE FORUMS
   http://www.win2000mag.net/forums 

Featured Thread: Win2K Server and Me Policies
   (One message in this thread)

Martin used policy editor to secure Windows 98 and Windows 95 desktops 
when either networked with NT Server or used as standalones. When he 
comes across a desktop with Windows Me, he can't secure it in either 
environment or in policy editor for Windows Me. Can you help? Read more 
about the questions and responses or lend a hand at the following URL:
   http://www.secadministrator.com/forums/thread.cfm?thread_id=82220

* HOWTO MAILING LIST
   http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

Featured Thread: Permissions Affected After NTFS File Conversion
   (Ten messages in this thread)

This user is having problems after converting Windows NT systems from 
FAT disk partitions to NTFS partitions. After the conversion, users are 
experiencing problems where they are prompted to log on when they access 
certain shortcuts or Start Menu items. The logon prompting relates to 
\MachineName\C$ administrative share. Can you help? Read the responses 
or lend a hand at the following URL:
http://63.88.172.96/listserv/page_listserv.asp?a2=ind0110c&l=howto&p=1039

10. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT THE COMMENTARY -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- mlibbey () win2000mag com; please
mention the newsletter name in the subject line.

* TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums

* PRODUCT NEWS -- products () win2000mag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
Support at securityupdate () win2000mag com.

* WANT TO SPONSOR SECURITY UPDATE? -- emedia_opps () win2000mag com

********************

   Receive the latest information about the Windows 2000 and Windows NT
topics of your choice. Subscribe to our other FREE email newsletters.
   http://www.win2000mag.net/email

|-+-+-+-+-+-+-+-+-+-| 

Thank you for reading Security UPDATE.

SUBSCRIBE
To subscribe, send a blank email to mailto:Security_UPDATE_Sub () lists win2000mag net.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.