Security UPDATE, February 19, 2003

Mark Joseph Edwards discusses the use of honeypots on your network to detect forms of probing and identify attacks that your Intrusion Detection System (IDS) might not be able to discover.

ITPro Today

February 18, 2003

13 Min Read
ITPro Today logo in a gray background | ITPro Today

Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows Server 2003, Windows 2000, and Windows NT systems. http://www.secadministrator.com

********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Security on All Workstations Compromised in Minutes http://promo.liebsoft.com/?p=win2ksec0203

Windows & .NET Magazine Network Web Seminars http://www.winnetmag.com/seminars (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: SECURITY ON ALL WORKSTATIONS COMPROMISED IN MINUTES ~~~~ In just a few minutes any of your domain users could become the administrator of ALL your machines without your knowledge. A quick search of Google.com for password crackers is all it takes. There is a solution. Download our guide to plugging the DISTRIBUTED CREDENTIALS FLAW in Windows. http://promo.liebsoft.com/?p=win2ksec0203

~~~~~~~~~~~~~~~~~~~~

February 19, 2003--In this issue:

1. IN FOCUS - Security Reconnaissance with Honeyd and HoneyWeb

2. SECURITY RISKS - Multiple Vulnerabilities in Opera Web Browser - Brute-Force Vulnerability in Aprelium's Abyss Web Server - Buffer-Overrun Vulnerability in Celestial Software's Absolute Telnet

3. ANNOUNCEMENTS - Pharma-IT Summit: Real-World Solutions for Today's Pharma-IT Challenges, March 31, 2003 - Try Windows & .NET Magazine!

4. SECURITY ROUNDUP - News: Sanctum Announces AppScan Developer Edition - News: Microsoft Offers Less-Technical Security Information - News: KeyLabs Says Sygate OutperformsSymantec - News: Peace of Mind While Shopping Online

5. INSTANT POLL - Results of Previous Poll: Slammer/Sapphire Worm - New Instant Poll: Early Warning Network

6. SECURITY TOOLKIT - Virus Center - FAQ: How Can I Prevent Users from Importing or Exporting Their Microsoft Internet Explorer (IE) Favorites?

7. NEW AND IMPROVED - Block User-Installed Wireless Networks - Secure Servers Attached to KVM Switches - Submit Top Product Ideas

8. HOT THREAD - Windows & .NET Magazine Online Forums - Featured Thread: ISA Feature Pack 1 and SSL Certificates

9. CONTACT US See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1.

IN FOCUS

(contributed by Mark Joseph Edwards, News Editor, [email protected])

* SECURITY RECONNAISSANCE WITH HONEYD AND HONEYWEB

Do you have layered security in place? If so, do your layers include features that help you determine which kinds of attacks are targeting your networks? Many of you probably have probing and attack-detection tools in place, such as an Intrusion Detection System (IDS), but you can take that sort of attack-detection technology further by adding a honeypot to your network.

I've written about various honeypot technologies in the past, including information about various network, system, and service emulators. For example, some honeypot technologies can mimic particular system architecture, and others can emulate services such as SMTP mail servers to help thwart spammers. You can find several articles about honeypots through the search URL below. http://search.winnetmag.com/query.html?qt=honeypot&site=security

On Lance Spitzner's Tracking Hackers Web site (see the first URL below), he defines a honeypot as "a security resource [whose] value lies in being probed, attacked, or compromised." If you're interested in honeypot technology, know that a new version of Honeyd (see the second URL below) was released over the weekend, along with a new challenge for people to contribute to the project. http://www.tracking-hackers.com http://www.citi.umich.edu/u/provos/honeyd

Niels Provos, who developed Honeyd, explains that "Honeyd is a virtual honeypot running as a small daemon to create virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems." Honeyd monitors unused IP addresses on a network to develop a virtual network of honeypots to help detect probing and intrusion.

Honeyd listens for TCP, UDP, and some types of Internet Control Message Protocol (ICMP) traffic to help detect activity directed at your network's unused IP addresses, to which no one should be sending traffic in the first place. If you want to establish bogus services to interact with potential intruders, you can use Honeyd to do that as well. One of Honeyd's slick features is its ability to spoof a given system type at the kernel level to help thwart tools such as Xprobe and Nmap, which are designed to detect exact OS types, such as Windows or a Cisco Systems router OS.

Along with the release of Honeyd 0.5, Provos has issued an invitation to contribute to the Honeyd project by developing useful feature additions and improvements. Potential contributors can work on developments such as additional service emulators and forensics tools for analysis and visualization of Honeyd log files and a GUI. You can read more about the challenge at the Honeyd Web site, hosted at the University of Michigan. http://www.citi.umich.edu/u/provos/honeyd/challenge.html

Other useful honeypot tools work in conjunction with Honeyd, or you can run them standalone. One such tool is HoneyWeb, written by Kevin Timm and available at the URL below. HoneyWeb is a new tool that can emulate various Web server platforms, including Apache, Netscape, and Microsoft IIS. HoneyWeb deceives intruders by emulating HTTP headers and delivering Web pages. http://www.var-log.com/files

For example, HoneyWeb looks at incoming URL requests, determines which platform they suit, and returns headers and Web pages that emulate that platform. As I interpret the somewhat sparse documentation, the tool can also track URL requests persistently. So if the same user makes a UNIX-style request and then a Microsoft-style request (in a configurable time frame), the system can return a 404 error to maintain consistency with the type of Web platform being emulated. HoneyWeb can spoof other kinds of content, and it can return bogus directory listings for a given root path URL or a bogus rendition of an .htaccess file.

Timm developed HoneyWeb in the Python programming language. To learn more about HoneyWeb, visit the first URL below and also read the readme text in the program archive file. If you want to try HoneyWeb, you need to obtain a copy of Python for your platform at the second URL below. HoneyWeb also supports Secure Sockets Layer (SSL) by using Stunnel as an add-on. You can obtain Stunnel at the third URL below. http://www.var-log.com/files/HoneyWeb.txt http://www.python.org http://www.stunnel.org

If you don't use a honeypot on your network, why not consider installing one? It might pick up on subtle forms of probing and identify attacks that your IDS might not be able to detect. Using a honeypot can increase your awareness of the type of attacks your network faces and help you keep your network more secure.

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: WINDOWS & .NET MAGAZINE NETWORK WEB SEMINARS ~~~~ DON'T MISS OUR WEB SEMINARS IN MARCH! Windows & .NET Magazine has 3 new Web seminars to help you address your security and storage concerns. There is no fee to attend "Selling the Importance of Security: 5 Ways to Get Your Manager's Attention", " Building an Ultra Secure Extranet on a Shoe String", or "An Introduction to Windows Powered NAS," but space is limited, so register for all 3 events today! http://www.winnetmag.com/seminars

~~~~~~~~~~~~~~~~~~~~

2.

SECURITY RISKS

(contributed by Ken Pfeil, [email protected])

* MULTIPLE VULNERABILITIES IN OPERA WEB BROWSER Opera Software's Opera Web Browser 7.0 and earlier contains five newly discovered vulnerabilities. Three of these vulnerabilities permit full read access to the user's file system and let an intruder list contents of directories, read files, and access email messages on the vulnerable system. The other two vulnerabilities expose sensitive private information about the user by permitting Web access to URLs that the user has recently visited. Opera Software has released Opera Web Browser 7.01, which isn't vulnerable to these conditions. http://www.secadministrator.com/articles/index.cfm?articleid=38021

* BRUTE-FORCE VULNERABILITY IN APRELIUM'S ABYSS WEB SERVER A vulnerability in Aprelium Technologies' Abyss Web Server 1.1.2 and earlier lets an attacker gain administrative access to the Web server. An attacker can connect to the remote Web management interface at http://abyss_server:9999 and use a brute-force method to access the server. An attacker can use an indefinite number of attempts to enter a valid username and password; the software uses no delay to penalize wrong attempts. Abyss has no logging for port 9999 (unlike the access.log file for port 80). Aprelium has been notified and will release a patch or new version that isn't vulnerable to these conditions. http://www.secadministrator.com/articles/index.cfm?articleid=38022

* BUFFER-OVERRUN VULNERABILITY IN CELESTIAL SOFTWARE'S ABSOLUTE TELNET A vulnerability in Celestial Software's Absolute Telnet 2.11 and Absolute Telnet 2.00 can lead to arbitrary execution of code on the vulnerable system. This vulnerability is a result of insufficient bounds checking in the code that sets the program's title bar. Celestial Software has released Absolute Telnet 2.12 Release Candidate 10 (RC10), which isn't vulnerable to this condition. http://www.secadministrator.com/articles/index.cfm?articleid=37999

3.

ANNOUNCEMENTS

(brought to you by Windows & .NET Magazine and its partners)

* PHARMA-IT SUMMIT: REAL-WORLD SOLUTIONS FOR TODAY'S PHARMA-IT CHALLENGES, MARCH 31, 2003 Annual executive conference highlights the increased focus on IT security in global pharmaceutical enterprises. Networking, case studies, intensive workshops forums help CIOs, CTOs, CFOs, VPs and other top-decision-makers leverage pharmaceutical IT solutions successfully. Keynote presentations by executives from Aventis, Novartis, Astrazeneca, Hoffman-Laroche and Pfizer, plus US Dept. of Health & Human Services. http://www.pharmaitsummit.com

* TRY WINDOWS & .NET MAGAZINE! Every issue of Windows & .NET Magazine includes intelligent, impartial, and independent coverage of security, Active Directory, Microsoft Exchange Server, and more. Our expert authors deliver how-to content you simply can't find anywhere else. Try a sample issue today, and find out what more than 100,000 readers know that you don't! http://www.winnetmag.com/rd.cfm?code=fsei203xup

4.

SECURITY ROUNDUP

* NEWS: SANCTUM ANNOUNCES APPSCAN DEVELOPER EDITION Sanctum announced AppScan Developer Edition (DE) 1.5, which helps create secure Web applications. AppScan DE is integrated seamlessly into Microsoft Visual Studio .NET for support using the C#, C++, and J# programming languages. The product helps developers create unit tests and validation processes, provides defect analysis, and offers recommendations for code improvement. http://www.secadministrator.com/articles/index.cfm?articleid=38007

* NEWS: MICROSOFT OFFERS LESS-TECHNICAL SECURITY INFORMATION Microsoft now offers news about product security problems to less-technical users, such as home users and corporate executives who don't need exact details. Users can subscribe to the new security alerting service at the Microsoft Security Update Web site. http://www.secadministrator.com/articles/index.cfm?articleid=38011

* NEWS: KEYLABS SAYS SYGATE OUTPERFORMS SYMANTEC Sygate Technologies announced that independent testing laboratory KeyLabs conducted a comparison test that showed that the company's Sygate Secure Enterprise 3.0 outperformed Symantec's Client Security 2.0. http://www.secadministrator.com/articles/index.cfm?articleid=38006

* NEWS: PEACE OF MIND WHILE SHOPPING ONLINE ScanAlert is helping e-commerce sites increase sales while offering online shoppers a little more peace of mind. The company's HACKER SAFE service helps consumers determine whether a given e-commerce site is secure enough to trust with handling sensitive information, such as credit card numbers. http://www.secadministrator.com/articles/index.cfm?articleid=38018

5.

INSTANT POLL

* RESULTS OF PREVIOUS POLL: SLAMMER/SAPPHIRE WORM The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Did the Slammer/Sapphire worm directly affect your network, connectivity, or computerized activities directly?" Here are the results from the 250 votes. (Deviations from 100 percent are due to rounding errors.) - 24% Yes - 76% No * NEW INSTANT POLL: EARLY WARNING NETWORK The next Instant Poll question is, "Do you participate in an 'early warning' network that gathers forensic information from firewall and Intrusion Detection System (IDS) logs?" Go to the Security Administrator Channel home page and submit your vote for a) Yes--DShield.org, b) Yes--Symantec DeepSight Analyzer, c) Both of the above, d) Other, or e) No. http://www.secadministrator.com

6.

SECURITY TOOLKIT

* VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda

* FAQ: HOW CAN I PREVENT USERS FROM IMPORTING OR EXPORTING THEIR MICROSOFT INTERNET EXPLORER (IE) FAVORITES? ( contributed by John Savill, http://www.windows2000faq.com )

A. By default, users can use the File, Import and Export menu option in IE to import and export their IE Favorites. You can disable this functionality by performing the following steps: 1. Start a registry editor (e.g., regedit.exe). 2. Navigate to the HKEY_CURRENT_USERSoftwarePoliciesMicrosoft registry subkey. 3. If the Internet Explorer subkey doesn't exist, create it (from the Edit menu, select New, Key and type "Internet Explorer" without the quotes), then navigate to that subkey. 4. From the Edit menu, select New, DWORD Value. 5. Enter the name DisableImportExportFavorites, then press Enter. 6. Double-click the new value, set it to 1, then click OK.

The change takes effect immediately. Users will still be able to run the Import and Export Wizard, but when they click Finish, the wizard will inform them that it has been disabled.

7.

NEW AND IMPROVED

(contributed by Sue Cooper, [email protected])

* BLOCK USER-INSTALLED WIRELESS NETWORKS SecureWave released WaveLock, a free utility that blocks access to the wireless network adapters and wireless LAN (WLAN) cards that Windows XP and Windows 2000 supported. WaveLock detects attempts to install wireless network adapters and prevents their drivers from loading, rendering the adapters inoperative and ensuring that users who know about these preinstalled drivers don't compromise your networks. For more information or to download WaveLock, visit the following URLs: http://securewave.com/products/free_utilities/wavelock.html http://securewave.com

* SECURE SERVERS ATTACHED TO KVM SWITCHES Belkin introduced the OmniView SE Plus Series Keyboard/Video/Mouse (KVM) Switch, which gives you control over multiple-platform servers from a single console. Product security has been enhanced to prevent unintended information exchange between secure and nonsecure servers connected to the Switch. The new KVM switch supports PS/2-style and USB servers in two-port or four-port models. For pricing or more information, contact Belkin at 800-223-5546 or through its Web site. http://www.belkin.com

* SUBMIT TOP PRODUCT IDEAS Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].

8.

HOT THREAD

* WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.com/forums

Featured Thread: ISA Feature Pack 1 and SSL Certificates (Three messages in this thread)

A user in the Netherlands writes that he believes that since the release of Microsoft Internet Security and Acceleration (ISA) Server Feature Pack 1, it's no longer necessary to configure a demilitarized zone (DMZ) to secure his network when he wants only to securely expose his Microsoft Exchange Server to his employees through the Internet. Is this correct? He believes that he'll have to use a Secure Sockets Layer (SSL) certificate, and he has questions about the best approach to do so. Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=54270

9.

CONTACT US

Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- [email protected]

* ABOUT THE NEWSLETTER IN GENERAL -- [email protected] (please mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- [email protected]

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- [email protected]

* WANT TO SPONSOR SECURITY UPDATE? [email protected]

********************

This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup

Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.

You are subscribed as #EmailAddr#.

MANAGE YOUR ACCOUNT You can manage your entire Windows & .NET Magazine Network email newsletter account on our Web site. Simply log on and you can change your email address, update your profile information, and subscribe or unsubscribe to any of our email newsletters all in one place. http://www.winnetmag.com/email

Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like