Security UPDATE, August 28, 2002

You can use software packages on your network to test for vulnerabilities is one thing, but testing somebody else's network for vulnerabilities is a different matter.

ITPro Today

August 27, 2002

15 Min Read
ITPro Today logo in a gray background | ITPro Today

Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com

THIS ISSUE SPONSORED BY

Real Time Monitoring Is a Security Requirement
http://www.tntsoftware.com/download/

Free Download Secure PC Access over the Web!
http://www.crossteccorp.com/w2kmag.htm
(below IN FOCUS)

SPONSOR: REAL TIME MONITORING IS A SECURITY REQUIREMENT

A proactive Security Administrator installed TNT Software's ELM Enterprise Manager 3.0 on his critical servers to assess the benefits of real time monitoring. A week later, EEM 3.0 paged him as a disgruntled employee was attempting to access confidential personal files. Within minutes, the hacker was escorted off company property. Use the comprehensive system management toolset, ELM Enterprise Manager 3.0, to monitor your internal security, protect your intellectual property, and prevent avoidable downtime. To download your FREE 30-day full featured evaluation copy, visit:
Visit http://www.tntsoftware.com/download/

August 28, 2002—In this issue:

1. IN FOCUS

  • How Not to Perform a Security Scan

2. SECURITY RISKS

  • Tiny Personal Firewall 3.0 for Windows

  • Multiple Vulnerabilities in Kerio MailServer 5.0 for Windows XP, Win2K, and NT

  • Multiple Vulnerabilities in Microsoft IE

  • DoS in Microsoft Windows SMB

  • Multiple Vulnerabilities in Microsoft Office Web Components ActiveX Control

  • Multiple Vulnerabilities in WebEasyMail

  • Buffer Overrun in Microsoft TSAC ActiveX Control

3. ANNOUNCEMENTS

  • Why Pay When You Can Get In-Person Security Expertise at No Charge?

  • Planning on Getting Certified? Make Sure to Pick Up Our New eBook!

4. SECURITY ROUNDUP

  • Feature: Password Defense

  • Feature: Safe Transit

  • Feature: Windows XP SP1

5. HOT RELEASE (ADVERTISEMENT)

  • SecureIIS Provides a Solid Brick in Your Defensive Wall

6. SECURITY TOOLKIT

  • Virus Center

  • FAQ: How Can I Disable Encrypting File System (EFS) on a Windows 2000 or Later Machine?

7. NEW AND IMPROVED

  • Ensure Secure Information Exchange

  • Enable Enterprisewide Configuration Changes

  • Submit Top Product Ideas

8. HOT THREADS

  • Windows & .NET Magazine Online Forums
    Featured Thread: Upstream Proxy Authentication

  • HowTo Mailing List:
    Featured Thread: Win2K Group Policy Error

9. CONTACT US

  • See this section for a list of ways to contact us.

1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, [email protected])

  • HOW NOT TO PERFORM A SECURITY SCAN


Many network administrators have security toolkits that include security scanners and other vulnerability test tools, but not everyone understands how to use those tools ethically. Using software packages on your network to test for vulnerabilities is one thing, but testing somebody else's network for vulnerabilities is an entirely different matter.

It seems obvious that you need permission to scan someone else's network or system. The reason is simple: Someone else's network is neither your property nor your responsibility. Furthermore, mounting an attack on someone's system isn't a wise way to gain notoriety, especially for new security consulting firms. However, not everybody understands that, and I read about a case in point over the weekend.

A security company, ForensicTec Solutions, a 4-month-old startup company, apparently decided it would impress people with its ability to detect vulnerabilities. However, some rookie ForensicTec consultants chose to perform such detection on someone else's network. To compound that poor judgment, that "someone else" turned out to be the US government. According to a report from "The Washington Post," ForensicTec consultants decided to investigate the security of various Department of Defense (DoD) networks and computer systems.
http://www.forensictec.com
http://www.washingtonpost.com/wp-dyn/articles/A24191-2002Aug15.html

The report said that 2 months ago, while working with a client, the ForensicTec consultants detected other networks and IP addresses. They investigated those IP addresses and learned that they belonged to computers running on DoD networks located in Fort Hood, Texas. Out of curiosity, they proceeded to gain access to those military networks, then used that access to gain further access to other government networks, such as those that the National Aeronautics and Space Administration (NASA) operates.

According to the report, the consultants discovered that they could access systems that contained detailed sensitive information, sometimes by using common passwords such as "administrator" and "password." They found information about "radio encryption techniques, the use of laser targeting systems and other field procedures. Another [system they accessed] maintained hundreds of personnel records containing Social Security numbers, security clearance levels and credit card numbers. A NASA computer contained vendor records, including company bank account and financial routing numbers." Still other systems contained "e-mail messages, confidential disciplinary letters and, in one case, a memo naming couriers to carry secret documents and their destinations."

After locating such sensitive information, the company apparently waited 2 months before reporting its findings. When it reported its findings to the military 2 weeks ago, it also contacted "The Washington Post" to report the exploits. The newspaper contacted the government to determine whether ForensicTec's information was accurate.

As a result of its actions, ForensicTec found itself the subject of a Federal Bureau of Investigation (FBI) forensic investigation. According to another report from "The Washington Post," the FBI raided the company's offices over the weekend.
http://www.washingtonpost.com/wp-dyn/articles/A42019-2002Aug20.html

As you might expect, ForensicTec said it acted as it did to gain some exposure for itself and to help the government realize its networks were exposed to intruders. A spokesperson for the Army Criminal Investigation Command in Virginia said, "Regardless of the stated intent, unauthorized entry into Army computer systems is a federal offense."

The moral of this story is at least threefold: Never use easy-to-guess passwords; never turn rookie security consultants loose on others' networks; and never investigate anyone's network without first obtaining explicit permission, preferably in writing, for the investigations you might perform.

SPONSOR: FREE DOWNLOAD SECURE PC ACCESS OVER THE WEB!

PC Magazine's Editors' Choice, NetOp Remote Control, is the professional's choice for fixing remote PC Problems and secure remote access! NetOp is blazingly FAST, extremely SECURE, and provides rock solid STABILITY. Don't trust anything less. Use the Remote Control solution that was designed for enterprise support and access. Download a FREE, fully functional, evaluation copy today and see why NetOp is known as the "hands down winner!"
http://www.crossteccorp.com/w2kmag.htm

2. SECURITY RISKS
(contributed by Ken Pfeil, [email protected])

  • TINY PERSONAL FIREWALL 3.0 FOR WINDOWS


Aaron Tan Lu of NSSI Research Labs discovered two Denial of Service (DoS) conditions in Tiny Software's Tiny Personal Firewall 3.0 for Windows. The first vulnerability affects the default installation and use of the activity logger tab. If a potential attacker uses multiple SYN, UDP, Internet Control Message Protocol (ICMP), and TCP full Connect to scan a host's ports while the vulnerable user browses its Personal Firewall Agent module firewall Log tab, a system crash will occur that consumes 100 percent of system resources. The second DoS condition is similar, but it occurs in the HIGH Security setting when an attacker uses a spoofed source to address the firewall's IP address.
http://www.secadministrator.com/articles/index.cfm?articleid=26348

  • MULTIPLE VULNERABILITIES IN KERIO MAILSERVER 5.0 for WINDOWS XP, WIN2K, and NT


Abraham Lincoln Hao of NSSI Research Labs discovered multiple vulnerabilities in Kerio Technologies' Kerio MailServer 5.0 for Windows that could result in a Denial of Service (DoS) or cross-site scripting scenario. Sending at least five SYN packets to any of a mail server's services (POP3, SMTP, IMAP, Secure IMAP, POP3S, Web-mail, or secure Web-mail services) can result in that service not responding; however, the service will be available again after several minutes. The vendor, Kerio Technologies, has been notified but hasn't yet released a patch for these vulnerabilities.
http://www.secadministrator.com/articles/index.cfm?articleid=26353

  • MULTIPLE VULNERABILITIES IN MICROSOFT IE


GreyMagic Software, Mark Litchfield of Next Generation Security Software (NGSSoftware), and Jouko Pynnonen of Oy Online Solutions discovered five new vulnerabilities in Microsoft Internet Explorer (IE), the most serious of which lets an attacker execute arbitrary code on the vulnerable system. Microsoft has released Security Bulletin MS02-047 (Cumulative Patch for Internet Explorer) to address these vulnerabilities and recommends that affected users download and apply the appropriate patch mentioned in the bulletin.
http://www.secadministrator.com/articles/index.cfm?articleid=26419

  • DoS IN MICROSOFT WINDOWS SMB


Alberto Solino and Hernan Ochoa of Core Security Technologies discovered an unchecked buffer in Microsoft Server Message Block (SMB) that can result in a remotely exploitable Denial of Service (DoS) condition on the vulnerable system. By sending a specially crafted packet to certain transactions of the SMB command SMB_COM_TRANSACTION, an attacker can halt the OS with a blue screen. You can find detailed information about this vulnerability on the discoverers' Web site. Microsoft has released Security Bulletin MS02-045 (Unchecked Buffer in Network Share Provider Can Lead to Denial of Service) to address these vulnerabilities and recommends that affected users download and apply the appropriate patch mentioned in the bulletin.
http://www.secadministrator.com/articles/index.cfm?articleid=26412

  • MULTIPLE VULNERABILITIES IN MICROSOFT OFFICE WEB COMPONENTS ACTIVEX CONTROL


Three vulnerabilities exist in Microsoft Office Web Components 2002 and Office Web Components 2000 ActiveX control. Products affected by these vulnerabilities include Microsoft Internet Security and Acceleration (ISA) Server 2000, Office XP, Project 2002, Project Server 2002, and Small Business Server (SBS) 2000. Microsoft has released Security Bulletin MS02-044 (Unsafe Functions in Office Web Components) to address these vulnerabilities and recommends that affected users download and apply the appropriate patch mentioned in the bulletin.
http://www.secadministrator.com/articles/index.cfm?articleid=26407

  • MULTIPLE VULNERABILITIES IN WEBEASYMAIL


Stan Bubrouski discovered two vulnerabilities in WebEasyMail for Windows 3.4.2.2 and earlier that can result in a Denial of Service (DoS) condition and information disclosure. An attacker can send specially crafted format strings as input, such as the "printf" family of functions, and cause the service to terminate without an error message. The information-disclosure vulnerability lets an attacker obtain a valid username and password on the vulnerable system. By default, an attacker can make unlimited logon attempts without the server terminating the connection. If the attacker gives a wrong password, the server responds with "-ERR invalid username" if the user doesn't exist and "-ERR wrong password for this user" if the user exists. The vendor, WebEasyMail, has been notified but has not yet released a patch for this vulnerability.
http://www.secadministrator.com/articles/index.cfm?articleid=26413

  • BUFFER OVERRUN IN MICROSOFT TSAC ACTIVEX CONTROL


A buffer-overrun condition exists in Microsoft Terminal Services Advanced Client (TSAC) ActiveX control that can let an attacker execute arbitrary code remotely on the vulnerable system. This vulnerability results from an unchecked buffer in the control's code that processes one of the input parameters. By calling the control on a client system and overrunning the buffer, an attacker can run code under the currently logged-on user's security context. The attacker can mount an attack by either hosting a Web page that exploits the vulnerability against any user who visits the Web page or by sending HTML mail to another user. Microsoft has released Security Bulletin MS02-046 (Buffer Overrun in TSAC ActiveX Control Could Allow Code Execution) to address these vulnerabilities and recommends that affected users download and apply the appropriate patch.
http://www.secadministrator.com/articles/index.cfm?articleid=26409

3. ANNOUNCEMENTS
(brought to you by Windows & .NET Magazine and its partners)

  • WHY PAY WHEN YOU CAN GET IN-PERSON SECURITY EXPERTISE AT NO CHARGE?


Windows & .NET Magazine Network Road Show 2002 is coming this fall to New York, Chicago, Denver, and San Francisco! Industry experts Mark Minasi and Paul Thurrott will show you how to shore up your system's security and what desktop security features are planned for Microsoft .NET and beyond. Sponsored by Microsoft and NetIQ. Registration is free, but space is limited so sign up now!
http://www.winnetmag.com/seminars/roadshow

  • PLANNING ON GETTING CERTIFIED? MAKE SURE TO PICK UP OUR NEW EBOOK!


"The Insider's Guide to IT Certification" eBook is hot off the presses and contains everything you need to know to help you save time and money while preparing for certification exams from Microsoft, Cisco Systems, and CompTIA and have a successful career in IT. Get your copy of the Insider's Guide today!
http://winnet.bookaisle.com/ebookcover.asp?ebookid=13475

4. SECURITY ROUNDUP

  • FEATURE: PASSWORD DEFENSE


Every user account on your network needs a password, although Windows 2000 permits user logons with null passwords. When you decide to enforce password use, you need to choose the password policies you want to enforce. You can set password policies for a domain or for an individual computer. Setting a password for an individual computer is useful when you have machines that are in vulnerable locations or that hold sensitive data. Unfortunately, Win2K doesn't let you set policies on a group-by-group basis, only by domain or machine. Read more about password management in Kathy Ivens's article.
http://www.secadministrator.com/articles/index.cfm?articleid=25962

  • FEATURE: SAFE TRANSIT


When you move a backup of a Microsoft SQL Server database from one server to another, you encounter some specific challenges. A common problem is that in the restore process, usernames and login names can be mismatched. In this article, Kalen Delaney looks at why usernames and login names are important, why mismatched names are a problem, and how to use a special procedure called sp_sidmap to avoid such problems.
http://www.secadministrator.com/articles/index.cfm?articleid=25983

  • FEATURE: WINDOWS XP SP1


When Windows XP arrived last year, the enterprise was underwhelmed: Most new XP features were clearly aimed at consumers, not business users, and the benefits the new system offered over Windows 2000 were unclear. A year later, XP is more entrenched, however, and a new Service Pack 1 (SP1) release will address some enterprise concerns. Read Paul Thurrott's article to learn what you need to know about XP SP1.
http://www.secadministrator.com/articles/index.cfm?articleid=25972

5. HOT RELEASE (ADVERTISEMENT)

  • SECUREIIS PROVIDES A SOLID BRICK IN YOUR DEFENSIVE WALL


SecureIIS is an application firewall that remedies the lack of hacker protection that was assumed to be out-of-the-box on an IIS server. eEye Digital Security created the first-ever application firewall to combat Port 80 vulnerabilities.
Learn more & free trial downloads at:
http://www.eeye.com/click.asp?ref=wnetnews2&target=secureiis

6. SECURITY TOOLKIT

  • VIRUS CENTER


Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
http://www.secadministrator.com/panda

  • FAQ: HOW CAN I DISABLE ENCRYPTING FILE SYSTEM (EFS) ON A WINDOWS 2000 OR LATER MACHINE?


(contributed by John Savill, http://www.windows2000faq.com)

A. To disable EFS, perform the following steps:

  1. Start a registry editor (e.g., regedit.exe).

  2. Navigate to the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionEFS registry subkey.

  3. From the Edit menu, select New, DWORD Value.

  4. Enter a name of EfsConfiguration and press Enter.

  5. Double-click the new value, set it to 1 to disable EFS, then click OK.

  6. Close the registry editor.

  7. Reboot the machine.

This change will affect all users: When users try to encrypt a file, they'll receive an error. You can set the registry value to 0 to enable EFS, but this value doesn't exist by default.

7. NEW AND IMPROVED
(contributed by Judy Drennen, [email protected])

  • ENSURE SECURE INFORMATION EXCHANGE


Ingrian Networks announced its next generation of Active Application Security solutions for database encryption, user authentication, secure Microsoft Outlook Web-based email access, intrusion protection, secure caching, and secure load balancing. Four new solutions, i225, i220, i215, and i210, were designed to proactively ensure secure information exchange. The products are designed to be Plug and Play (PnP) and can often be deployed in less than 30 minutes with the Ingrian Networks Quick Start Guide. Prices start at $23,995 and depend on the solution configuration. Contact Ingrian at 650-261-2400 or email [email protected].
http://www.ingrian.com

  • ENABLE ENTERPRISEWIDE CONFIGURATION CHANGES


Configuresoft announced Enterprise Configuration Manager (ECM) 4.0, a solution that reduces the IT resources required to proactively manage system and security configurations across enterprise networks. ECM 4.0 lets central IT departments create customized user roles to securely and selectively provide access to ECM's functionality and configuration data. Prices start at $995 per server and $30 per workstation. ECM 4.0 runs on Windows XP, Windows 2000, Windows NT, and Microsoft SQL Server 2000 or higher. Contact Configuresoft at 719-447-4600 or email [email protected].
http://www.configuresoft.com

  • SUBMIT TOP PRODUCT IDEAS


Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].

8. HOT THREADS

  • WINDOWS & .NET MAGAZINE ONLINE FORUMS


http://www.winnetmag.com/forums

Featured Thread: Upstream Proxy Authentication
(One message in this thread)

Stryder writes that his company has two remote locations, each with a Microsoft Internet Security and Acceleration (ISA) Server with its own Internet connection. In office 1, a VPN tunnel links back to the parent company for intranet sites the that office needs to access. He has set up office 2 to route any request for those intranet sites to office 1's ISA Server. Access works well for employees in office 1, but office 2 connections involve multiple authentications. The two ISA Servers run in a Windows NT 4.0 domain, so he doesn't have to set up any trust between the machines. However, he wants to know how to set up authentication so that users in office 2 aren't prompted every time they access an intranet site. Can you help? Read the responses or lend a hand at:
http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=44814

  • HOWTO MAILING LIST


http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

Featured Thread: Win2K Group Policy Error
(One message in this thread)

Erich has just set up Group Policy on Windows 2000 Server. When he logs on to the domain, the policy hasn't been implemented. When he checks the Event Viewer, he finds an error message in the Application log that reads"The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332)"
Can you help? Read the responses or lend a hand at the following URL:

9. CONTACT US
Here's how to reach us with your comments and questions:

This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
http://www.secadministrator.com/sub.cfm?code=saei25xxup

Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
http://www.winnetmag.net/email

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like