Security UPDATE, July 24, 2002

SECURITY STATISTICS ABOUND: WHAT DO THEY TELL US?

Are you ready for more security statistics? Newly published information indicates that Linux systems suffered an increasing number of attacks in the first half of 2002, compared with 2001. According to London company mi2g, Linux systems have suffered 7630 attacks so far in 2002, not including viruses and worms. During all of 2001, Linux systems suffered only 5736 attacks. The company said the attacks are largely because of third-party applications with vulnerabilities that administrators don't patch quickly enough.

On the other hand, attacks against Microsoft IIS systems have diminished. According to mi2g, attackers launched 9404 attacks against IIS systems in the first half of 2002, compared with 11,828 attacks in the first half of 2001.

Overall, however, the number of attacks against all systems rose 27 percent over last year. In the first half of 2001, organizations reported 16,007 attacks; so far this year, organizations have reported 20,371 attacks.

Government online systems are experiencing fewer attacks. Fifty-four US government systems reported attacks so far this year, compared with 204 such attacks in the first half of 2001. In the UK, only 12 government systems reported attacks this year, compared with 38 attacks in the first half of 2001. According to mi2g, the US Cyber Security Enhancement Act (CSEA) has probably helped reduce the number of attacks against government systems because the act permits much stiffer penalties for cybercrime.http://www.mi2g.com/cgi/mi2g/press/110702.php

The recently published Computer Emergency Response Team (CERT) statistics reflect an increase in the number of vulnerabilities reported this year. According to CERT, organizations have reported 2148 vulnerabilities so far this year, compared with 2437 reported vulnerabilities in 2001 and 1090 reported in 2000.http://www.cert.org/stats/cert_stats.html

The Computer Security Institute (CSI) released statistics in April 2002 that CSI gathered in conjunction with the Federal Bureau of Investigation (FBI). CSI polled 503 security practitioners; 80 percent of those polled reported financial losses because of system breaches. Forty-four percent (223 entities) were willing to quantify their losses, which totaled about $455,848,000.http://www.gocsi.com/press/20020407.html

Riptech, a Virginia-based security services firm, recently released an interesting set of statistics. Riptech gathered log information from 400 companies in more than 30 countries and confirmed that more than 180,000 attacks took place in the first half of 2002. The report shows that 80 percent of all attacks originate from 10 countries, including the United States, Germany, South Korea, China, France, Canada, Italy, Taiwan, the UK, and Japan. You can read more about Riptech's report in the related news story in the Security Roundup section of this newsletter.http://www.secadministrator.com/articles/index.cfm?articleid=25897

With the exception of a few bright spots, the unsurprising news is that attacks are increasing. Some of the increase might be a function of a trend feeding on itself. For example, more organizations and individuals discover and report more vulnerabilities in some detail. Then, unscrupulous individuals use the details to perpetrate additional attacks. Also, each reported vulnerability—if left unpatched for too long—lets intruders attack an increasing number of systems. Because intruders use search-engine tactics to identify many vulnerable Web servers, the numbers can soar higher.

Given the current climate, patch your systems quickly. And take a moment to answer today's Instant Poll question about the security resources you need to keep your organization from becoming a negative security statistic.

SPONSOR: FREE WHITE PAPER: CONTENT FILTERING STRATEGIES

Defeat cyber-threats. Avoid false alarms. Filter out the most dangerous file extensions. Block undesirable material from entering your company. Check out Panda Software's new white paper and discover how to protect your company against a whole range of threats - from rampant malware to email-transmitted viruses. All of this crucial information is offered to you completely FREE of charge. CLICK the following URL to DOWNLOAD now:http://www.pandasecurity.com/new/enewsletter/form-4021.html

2. SECURITY RISKS(contributed by Ken Pfeil, [email protected])

Remote PGP Outlook Encryption Plug-in Vulnerability

Marc Maiffret and Riley Hassell of eEye Digital Security discovered a vulnerability in Network Associates' (NAI's) pretty good privacy (PGP) Outlook Encryption plugin. The vulnerability can result in remote compromise of the vulnerable system. By sending a specially crafted email to a vulnerable system, an attacker can execute code remotely on that system. Read eEye Digital Security's advisory for a detailed explanation of this vulnerability. NAI has released a patch for the latest version of the PGP Outlook plugin to address this vulnerability. http://www.secadministrator.com/articles/index.cfm?articleid=25875

Buffer Overrun in SYMANTEC Norton Personal Security Firewall

Ollie Whitehouse of @stake discovered a buffer-overflow vulnerability in Symantec's Norton Personal Firewall that an attacker can exploit to execute code on the vulnerable system. An intruder can exploit this vulnerability even if the requesting application isn't configured in the firewall permission settings to make outgoing requests. See the @stake advisory for a detailed technical explanation. The vendor, Symantec, has released an advisory regarding this vulnerability and recommends that affected users download the patch from the advisory URL when the patch becomes available.http://www.secadministrator.com/articles/index.cfm?articleid=25895

3. ANNOUNCEMENTS(brought to you by Windows & .NET Magazine and its partners)

ENERGIZE YOUR ENTERPRISE AT MEC 2002, OCTOBER 8 THROUGH 11, ANAHEIM, CA

Don't miss the essential Microsoft infrastructure conference where you'll connect with a world of expert information, technical training sessions, best practices, and hands-on labs. Be among the first 1000 to register and receive a free MEC 2002 DVD valued at $695—plus save $300!http://www.microsoft.com/corpevents/mec2002

REAL-WORLD TIPS AND SOLUTIONS HERE FOR YOU

Windows & .NET Magazine LIVE!'s full-conference schedule is now online. Don't miss this chance to network with the finest gathering of Windows gurus on the planet. This conference is chock full of "been there, done that" knowledge from people who use Microsoft products in the real world. Register now and access concurrently run XML Web Services Connections for FREE.http://events.pentontech.com/windows/register.asp

4. SECURITY ROUNDUP

NEWS: New Win2K Pro Security Benchmarks

On July 17, the Center for Internet Security (CIS) released new security benchmarking tools for Windows 2000 Professional. The new benchmarking set consists of a scoring tool along with security templates that you can use to analyze and adjust system security settings.http://www.secadministrator.com/articles/index.cfm?articleid=25949

NEWS: Internet Security Threat Report, Volume II

Riptech released Volume II of its Internet Security Threat Report, which shows that Internet attacks grew at an annualized rate of 64 percent during the period between January 2002 and June 2002. The report is based on data mining and analysis of more than 11 billion firewall logs and Intrusion Detection System (IDS) alerts from more than 400 companies in more than 30 countries around the world.http://www.secadministrator.com/articles/index.cfm?articleid=25897

FEATURE: *#@$&% SECURITY

As you know, securing your networks requires vigilance and a lot of work. However, you ignore security at your peril, risking your job and possibly your company's entire future. But when you adopt the right mind-set, security tasks aren't so bad. What's important is to address security problems before it's too late.http://www.secadministrator.com/articles/index.cfm?articleid=25928

FEATURE: WMP EULA and DRM SYSTEM SECURITY

On June 27, 2002, Microsoft posted a security update to the Windows Media Player (WMP). That update included an End User Licensing Agreement (EULA) covering, among other things, the Digital Rights Management (DRM) system.http://www.secadministrator.com/articles/index.cfm?articleid=25910

5. INSTANT POLL

RESULTS OF PREVIOUS POLL: CREDIT CARD INFORMATION THEFT

The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Have you or has your company experienced credit card information theft through the Internet?" Here are the results (+/- 2 percent) from the 197 votes:

NEW INSTANT POLL: SECURITY BUDGET

The next Instant Poll question is, "Is your current level of network security a function of budget constraints?" Go to the Security Administrator Channel home page and submit your vote for a) Yes—We need more security staff, b) Yes—We need additional security tools, c) Yes—We need additional staff and tools, d) No—We budget for adequate network security, or e) No—We "spare no expense" for network security.
http://www.secadministrator.com

6. SECURITY TOOLKIT

VIRUS CENTER

Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
http://www.secadministrator.com/panda

VIRUS ALERT: W32/Dadinu

W32/Dadinu is a worm that spreads by sending itself to every address in the Microsoft Messenger Address Book. The worm creates a large number of files on infected computers. The files are copies of the worm.
http://63.88.172.127/panda/index.cfm?fuseaction=virus&virusid=1183

VIRUS ALERT: W32/Calil

W32/Calil emails itself to every address in the Microsoft Outlook Address Book. The message containing the worm has a subject field that reads "FW:FW: LILAC project video attach."
http://63.88.172.127/panda/index.cfm?fuseaction=virus&virusid=1185

VIRUS ALERT: W32/Frethem.K

W32/Frethem.K is a worm that spreads through email with a subject that reads "Re: Your password!." This message contains a file attachment called "decrypt-password.exe file." The worm exploits a vulnerability in Microsoft Internet Explorer (IE) 5.5 and IE 5.01 that lets files attached to an email message run automatically simply by viewing the message.
http://63.88.172.127/panda/index.cfm?fuseaction=virus&virusid=1187

FAQ: How can I remove the link between Outlook 2002 and MSN Messenger?

( contributed by John Savill, http://www.windows2000faq.com )

A. By default, Microsoft Outlook 2002 and MSN Messenger are linked. If both applications are running and you attempt to close MSN Messenger, the following error appears on the screen:

"There are other applications currently using features provided by Windows Messenger. You must close these other applications before you can exit Windows Messenger. These applications may include Outlook, Outlook Express, MSN Explorer, and Internet Explorer."

To remove the link between Outlook 2002 and MSN Messenger, perform the following steps:

7. NEW AND IMPROVED
(contributed by Judy Drennen, [email protected])

LEARN ABOUT WEB SECURITY, PRIVACY, AND COMMERCE

O'Reilly & Associates released "Web Security, Privacy & Commerce," a book by Simson Garfinkel and Gene Spafford that provides a reference on Web security risks and the techniques and technologies that you can use to protect yourself against these risks. Topics include cryptography, passwords, digital signatures, biometrics, cookies, log files, spam, Web logs, the Secure Sockets Layer (SSL), digital payments, client-side signatures, pornography filtering, intellectual property, and legal issues. The 756-page book costs $44.95. Contact O'Reilly at 800-998-9938.
http://www.oreilly.com

RESTRICT FILE AND FOLDER ACCESS

CenturionSoft and SoftClan released SoftClan Security Suite, a security and auditing program that can provide Windows Me and Windows 9x systems with protection levels similar to Windows NT on NTFS. You can administer the software by using a transparent monitoring process that doesn't affect system performance. The software restricts file and folder access to protect a system from intruders, accidents, and viruses. The software controls and audits PC use for each user, which is important for PCs that have multiple users. SoftClan Security Suite costs $39.95. Contact CenturionSoft or SoftClan at 202-293-5151.
http://www.centurionsoft.com

SUBMIT TOP PRODUCT IDEAS

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].

8. HOT THREADS

WINDOWS & .NET MAGAZINE ONLINE FORUMS

http://www.winnetmag.com/forums

Featured Thread: Can DHCP Authenticate a Workstation Before Issuing an IP Address?

(One message in this thread)

Rich writes that he'll be migrating to a Windows 2000 DHCP server soon. He has a requirement that nonauthorized machines not be allowed on the network. Right now, Rich registers valid media access control (MAC) addresses through DHCP to prevent nonauthorized machines on the network, but performing this task is an administrative nightmare. Rich wants to know whether DHCP performs some other type of machine/user authentication before it issues an IP address so that if the authentication fails, the machine doesn't receive an address on the network. Do you know of any other solution to keep nonauthorized machines off a network? Read the responses or lend a hand:
http://www.secadministrator.com/forums/thread.cfm?thread_id=109634

HOWTO MAILING LIST

http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

Featured Thread: Event ID 1000 and Event ID 1202 in Win2K DCs
(One message in this thread)

Eric recently had to take down the root server in his domain forest to reinstall the OS. Because he was running a second domain controller (DC) in the domain, the second controller took over as the root of the forest. He repaired the original domain root and put it back on the network as a DC. However, Eric now keeps receiving Event ID 1000 and Event ID 1202 error messages in the Application log every 5 minutes. He has reapplied the group policy link for the Domain Controller OU, but the error messages still appear. How can he resolve this problem? Read the responses or lend a hand at the following URL:
http://63.88.172.96/listserv/page_listserv.asp?a2=ind0207c&l=howto&p=738

9. CONTACT US
Here's how to reach us with your comments and questions:

(please mention the newsletter name in the subject line)

This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
http://www.secadministrator.com/sub.cfm?code=saei25xxup

Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
http://www.winnetmag.net/email

Thank you for reading Security UPDATE.