Security UPDATE, May 29, 2002

Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com

THIS ISSUE SPONSORED BY

Plan for Infrastructure Security
http://www.ibm.com/e-business/playtowin/n32

VeriSign — The Value of Trust
http://www.verisign.com/cgi-bin/go.cgi?a=n094487360057000
(below IN FOCUS)

SPONSOR: PLAN FOR INFRASTRUCTURE SECURITY

Put wireless technologies to work for your organization to build a flexible and more competitive e-business. IBM offers know-how and global resources that can help you work both intelligently and safely. Learn how wireless technology solutions can extend your company’s reach with a copy of our white paper, "A Wireless World Awaits: Nine Moves that Mobilize e-business." IBM has the knowledge, experience and global resources to help you and your partners work with peace of mind and remain focused on your core business issues. Visit us and register today to receive your complimentary copy at
http://www.ibm.com/e-business/playtowin/n32

May 29, 2002—In this issue:

1. IN FOCUS

2. SECURITY RISK

3. ANNOUNCEMENTS

4. SECURITY ROUNDUP

5. INSTANT POLL

6. SECURITY TOOLKIT

7. NEW AND IMPROVED

8. HOT THREADS

9. CONTACT US

1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, [email protected])

Are you getting enough spam yet? After the long holiday weekend, I checked the email in just one of my mail accounts, and the server reported 76 messages waiting to be delivered. In fact, 38 of them were unsolicited junk mail advertising all kinds of things I don't need, such as an as-seen-on-TV cure for snoring. I don't get nearly as much junk mail in my postal mailbox as I do in my electronic mail boxes, yet I've never opted into anyone's electronic advertising campaigns.

All online advertisers should include a link or email address that we can use to remove our names from their distribution lists (DLs). However, spam sources often use such contact points not to remove names from lists but to verify that a particular email address is valid—which only increases the amount of junk mail I receive.

A few years ago, in a television commentary, Andy Rooney joked that he accumulates piles of his postal junk mail, then ships it all back to the sender with a note that says, "Please throw this away for me." The idea struck me as hilarious, and it might be effective, but I doubt it would work with electronic junk mail.

We can use spam filters to eliminate unwanted email traffic, but keeping the filters effective isn't simple. The task becomes expensive over the long run through filtering software costs and the security-related maintenance hours required. But some relief might be in sight. Recently, the Senate Commerce Committee passed Bill S.630, which, if it becomes law, would make it illegal to send unsolicited email unless recipients have given express consent to receive such communications. In a nutshell, the new law would eliminate "opt out" in favor of "opt in" policies. The proposed law would also let those who receive unsolicited communications file class-action and independent lawsuits against offenders to collect monetary damages. You can read about the bill in the related news story, "Spammers Beware: New Law Seeks Criminal Enforcement" (see the URL below).
http://www.secadministrator.com/articles/index.cfm?articleid=25291

On another security-related subject—do you have trouble hiring and keeping security professionals in your company? A recent article in CIO Magazine, "How to Staff Up for Security" (see the URL below), notes that employers have trouble filling available positions because of a lack of skilled and experienced workers in the field: On average, employers fill 1 in 13 available positions.
http://www.idg.net/go.cgi?id=685363

The article lists several ways to attract, hire, and keep quality security people on your staff, including

You probably already know that security professionals don't come cheap. The article states that salaries in the field can range from $60,000 up to $180,000 per year, depending on several factors, including level of responsibility. Be sure to read the article.

SPONSOR: VERISIGN—THE VALUE OF TRUST

Secure your servers with 128-bit SSL encryption!
Grab your copy of VeriSign's FREE Guide, "Securing Your Web site for Business," and you'll learn everything you need to know about using 128-bit SSL to encrypt your e-commerce transactions, secure your corporate intranets and authenticate your Web sites. 128-bit SSL is serious security for your online business. Get it now!
http://www.verisign.com/cgi-bin/go.cgi?a=n094487360057000

2. SECURITY RISK
(contributed by Ken Pfeil, [email protected])

Foundstone discovered a buffer-overflow condition in the Lightweight Directory Access Protocol (LDAP) component of Ipswitch's IMail Server that can result in a Denial of Service (DoS) attack. An attacker can exploit this vulnerability to remotely execute arbitrary code by using the privileges of the IMail daemon, which typically has the default of SYSTEM. Ipswitch has released Hotfix 1 for IMail Server 7.10, which addresses this vulnerability. Users who have earlier versions of IMail Server will need to upgrade to IMail Server 7.10.
http://www.secadministrator.com/articles/index.cfm?articleid=25294

3. ANNOUNCEMENTS
(brought to you by Windows & .NET Magazine and its partners)

Which companies and products do you think are the best on the market? Nominate your favorites in four different categories for our annual Windows & .NET Magazine Readers' Choice Awards. You could win a T-shirt or a free Windows & .NET Magazine Super CD, just for submitting your ballot. Click here!
http://www.winnetmag.com/readerschoice

If you're using Windows 2000 to run mission-critical applications, you know Win2K has security concerns. The Windows & .NET Magazine's Security Solutions Summit, a half-day online event, addresses where the vulnerabilities lie, how you can strengthen your enterprise's security, and how you can exploit the same tools that intruders use. Register today!
http://www.winnetmag.com/seminars/security

4. SECURITY ROUNDUP

The Senate Commerce Committee approved Bill S.630 "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2001" (the "CAN SPAM Act of 2001" for short). The CAN SPAM act is designed to protect consumers and businesses from unsolicited commercial email (UCE) by levying fines and permitting civil and criminal actions against spammers.
http://www.secadministrator.com/articles/index.cfm?articleid=25291

CyberSource and Concord EFS announced an agreement in which Concord will sell the CyberSource Small Business [CyberSource dosolution to its small and midsized customers.
http://www.secadministrator.com/articles/index.cfm?articleid=25290

SonicWALL announced that the Santa Barbara (California) Police Department (SBPD) has selected the company's firewall and VPN appliances to protect the SBPD network and communications between remote offices for some 230 offsite law enforcement employees.
http://www.secadministrator.com/articles/index.cfm?articleid=25289

A new worm, Spida, is spreading across the Internet into Microsoft SQL Server systems. Spida infects SQL servers that have a blank systems administrator (sa) account password.
http://www.secadministrator.com/articles/index.cfm?articleid=25280

SurfControl, a Web and email-filtering company, announced the release of a white paper that urges organizations to layer security to ensure network integrity and to keep sensitive and proprietary information confidential.
http://www.secadministrator.com/articles/index.cfm?articleid=25286

5. INSTANT POLL

The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "If your organization uses Instant Messaging (IM), which IM choice have you standardized on?" Here are the results (+/- 2 percent) from the 315 votes:

The next Instant Poll question is, "Which of the following answers best describes your organization's approach to Instant Messaging (IM) use?" Go to the Security Administrator Channel home page and submit your vote for a) We standardize on one package, b) We let users make their own IM choice, c) We don't let users use IM.
http://www.secadministrator.com

6. SECURITY TOOLKIT

Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
http://www.secadministrator.com/panda

( contributed by John Savill, http://www.windows2000faq.com )

A. The multiuser editing feature of Office XP's version of Word lets you open a locked file, edit the file locally, and merge your changes into the original document. To disable this feature, perform the following steps:

7. NEW AND IMPROVED
(contributed by Judy Drennen, [email protected])

BigFix announced BigFix i-prevention, a software support system that protects Windows XP from a security flaw that can expose a PC to outside attackers. The BigFix i-prevention system identifies vulnerable Windows machines, proactively alerts users, and if a user clicks OK, plugs the security hole automatically. Some versions of Windows Me and Windows 98 are also susceptible if the users have installed Universal Plug and Play (UPnP) updates on their systems. Go to BigFix's Web site for a free download. Contact BigFix at 510-652-6700 or
[email protected].
http://www.bigfix.com

Griffin Technologies announced SecuriKey, a USB-based user-authentication solution for PCs. SecuriKey combines a keylike USB device with password protection. The solution also provides an alternative to public key infrastructure (PKI), protecting companies against unauthorized computer use. For a 200-user network, the cost to deploy would be less than $50 per seat. For more information, contact Griffin Technologies at 800-986-6578 or go to the Web site.
http://www.griftech.com

8. HOT THREADS

http://www.winnetmag.com/forums

(Twenty-one messages in this thread)

Gary finds that on some of his organization's PDCs and BDCs, users logging on locally can access shared folders on PDC and BDC servers if three conditions exist. First, the users aren't domain users and have no privileges on any of the servers. Second, they log on by using "workgroup" or the domain name as their workgroup name. Finally, they use a password of "password" (all lowercase). Any user can connect to the BDC and PDC shared directories without permission. Has anyone solved this problem?
http://www.secadministrator.com/forums/thread.cfm?thread_id=105380

http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

(One message in this thread)

Mark has set his password policy on the domain so that after five bad password attempts, the account is locked out. His domain uses roaming profiles. However, if a user's Windows NT 4.0 workstation isn't in the domain, the user can attempt any number of password attempts for a specific domain user without locking the account. How can he lock out the domain account on nondomain systems? Can you help? Read the responses or lend a hand at the following URL:
http://63.88.172.96/listserv/page_listserv.asp?a2=ind0205d&l=howto&p=548

9. CONTACT US
Here's how to reach us with your comments and questions:

(please mention the newsletter name in the subject line)

This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
http://www.secadministrator.com/sub.cfm?code=saei25xxup

Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
http://www.winnetmag.net/email