Security UPDATE, June 19, 2002

Mark Joseph Edwards describes how one company uses a honeypot to foil credit card thieves on the Web, and government agencies use up a honeypot to warn consumers.

ITPro Today

June 18, 2002

14 Min Read
ITPro Today logo in a gray background | ITPro Today

Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com

THIS ISSUE SPONSORED BY

Making Security Policies Effective
http://www.bindview.com/0724wbnr2

SECURE MS EXCHANGE ***FREE EMAIL SECURITY WHITE PAPER
http://www.ciphertrust.com/article/Windows_NET_S01.htm
(below IN FOCUS)

SPONSOR: MAKING SECURITY POLICIES EFFECTIVE

Do you have security policies that are impossible to implement manually? Do you dread internal and external audits because you know you're going to get "dinged" again? Are you unclear on how to keep your policies in compliance with new regulatory requirements? If you answered yes to any or all of these questions, you are not alone. Many organizations have policies that are out of date and/or are not adhered to. To find out how you can make your security policies effective, tune in July 24 to a free Webinar from BindView "Making Security Policies Effective." Register at
http://www.bindview.com/0724wbnr2

June 19, 2002—In this issue:

1. IN FOCUS

  • Honeypots with a Sting

  • Editor's Note

2. SECURITY RISKS

  • Buffer Overrun in IIS 5.0 and IIS 4.0 HTR

  • Unchecked Buffer in Microsoft RAS Phonebook

  • Multiple Vulnerabilities in Microsoft SQLXML for SQL Server 2000

  • Unchecked Buffer in Microsoft Gopher Protocol Handler

3. ANNOUNCEMENTS

  • Struggling with IIS and Web Administration Concerns?

  • Special 2-for-1 Subscription Offer!

4. SECURITY ROUNDUP

  • News: Windows Users Threatened by IIS, IE, MSN Messenger Flaws

  • News: Akonix Systems to Release Software to Protect IM and P2P Traffic

  • Feature: Test Your Knowledge About Cookies

  • Feature: The Cost of Ignorance

5. HOT RELEASE

  • Spectracom's NetClock, for Secure Network Time

6.SECURITY TOOLKIT

  • Virus Center

  • FAQ: How Can I Check and Set a Volume's Dirty Status in Windows

7. NEW AND IMPROVED

  • Submit Top Product Ideas

  • Snoop-Proof Your Files

  • Protect Programs and Files

8. HOT THREADS

  • Windows & .NET Magazine Online Forums

  • Featured Thread: Can I Force a User to Reauthenticate?

9. CONTACT US

  • See this section for a list of ways to contact us.

1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, [email protected])

  • HONEYPOTS WITH A STING
    Have you considered using a honeypot on your network? You can use honeypots in many ways, and new uses are still unfolding in the information security landscape. One company, CardCops.com, established a honeypot not to catch network intruders but to catch perpetrators of fraud.

    Credit card information theft is a significant problem on the Internet, but CardCops.com has taken the offensive to nab those who would steal credit card information and use it to perpetrate fraud. CardCops.com founders Dan Clements and Mike Brown often had to spend part of their day chasing fraudulent Web-based ad impressions at their company, Ads360.com. The fraudulent ad impressions came from unscrupulous individuals who established Web sites, subscribed to various ad placement networks, then generated fake ad impressions by using automated software—often placing ads on unsuspecting victims' cracked systems. The ad impressions then generated revenue for the perpetrators.

    Clements and Brown noticed that those who generate fake ad impressions are often the same people who steal credit card information. They started CardCops.com to curb Internet credit card fraud. CardCops.com intends to catch criminals in the act of stealing credit card information and fraudulently using stolen credit card information.
    http://www.cardcops.com

    To set their short-lived trap, the company established a fake operation as laptop vendor Laptops4now.com, complete with an e-commerce Web site that served as the honeypot. The company then posted alluring messages to various chat channels, which credit card information thieves are known to frequent. The messages lured perpetrators by stating that Laptops4now.com would ship laptop orders anywhere. CardCops.com then systematically gathered forensic information as the orders came in and promptly turned the data over to the US Secret Service for investigation.

    Card thieves often use stolen cards to buy new laptops, which they then trade or sell. Thieves usually give shipping addresses to locations that they use as drop locations and from which they collect the goods and relay them to other points, sometimes overseas. They hope that by using foreign drop points, they can cover their tracks and make their actual identity and location more difficult to discover.

    CardCops.com turned on its fake Laptops4now.com Web site at 5:00 P.M. Pacific Standard Time on Wednesday, May 29, 2002. By 5:00 A.M. the next morning, the company had snared five criminals in its trap. In that 12-hour time period, Laptops4now.com received 16 overseas orders for new laptops (totaling more than $27,000), all ordered with stolen credit card information and all to be shipped to US drop locations. The orders came from foreign IP addresses and had US locations as shipping addresses, according to Patrick Granahan, CTO of CardCops.com. After CarCops.com emailed the United Parcel Service (UPS) tracking numbers to those customers, four of five reordered Friday night. "The greed had set in," Granahan noted. As of Tuesday, June 11, the Laptops4now.com site had attracted more than 37 fraudulent laptop orders.

    CardCops.com hired a third-party security agency, Secure Net Labs, to track the online orders from the fake Laptops4now.com e-commerce site, and the overall operation has succeeded. The results verify how quickly thieves can attack reputable merchants with fraudulent orders, according to Keath Nupuf of Secure Net Labs. "Foreign [IP addresses], email addresses, drop addresses, and site scan origins were all captured as part of the project," Nupuf explained. The data has been turned over to law enforcement. "We have received the data and are investigating," said Don Masters, US Secret Service Agent based in Los Angeles. CardCops.com hopes the data will lead to the identity and arrest of global intruders and credit card information thieves. I'll keep you posted.
    http://www.securenetlabs.com
    http://www.ectaskforce.org/Regional_Locations.htm

    In a recent interview, I learned that CardCops.com had just finished its second honeypot sting operation. The company established an Apache Web site that presented a fake Microsoft IIS Web server bug that supposedly exposed a file containing bogus credit card information. The company designed the trap to snare intruders who tried to steal that credit card data. The operation succeeded in catching thieves in the act of stealing the bogus data file. The company said that ideas for further sting operations are in the works.

    Another less recent endeavor also stretches the notion of honeypots. In January, the Securities and Exchange Commission (SEC) posted a press release to lure investors to the Web site of McWhortle Enterprises, a fictitious company about to make its initial public offering (IPO) in the stock market. The company's nonexistent product, the Bio-Hazard Detector, was a protection device that played on public fears of terrorist attacks. The device claimed to detect "microscopic levels of hazardous bio-organisms ... even the finest-milled, weapons-grade biohazards from 50 feet, long before the risk of inhalation or cutaneous (skin) infection, by testing for the distinctive surface leptins (neurotransmitters)." The company sought to raise millions of dollars and promised investors 400 percent gains in just 3 months.

    However, when visitors reached the fake McWhortle Web site, they were led to a warning page that said, "If you responded to an investment idea like this ... you could get scammed!" The SEC, the Federal Trade Commission (FTC), the North American Securities Administrators Association (NASAA), and the National Association of Securities Dealers (NASD) sponsored the operation, which was designed to make online investors more cautious to prevent online investment fraud from succeeding.
    http://www.mcwhortle.com/ipogreenlight.htm
    http://www.mcwhortle.com/onlinebid.htm

    Honeypots can trap all kinds of users, including blatant criminals, curiosity-driven intruders, and members of the public who want to make a fast buck. Honeypots don't have to be expensive or comprehensive. As the preceding stories demonstrate, you can develop honeypots that are simple, temporary, and highly targeted. When you consider your honeypot design, take time to be creatively convincing.

  • EDITOR'S NOTE


We need your help to make this and other email newsletters from Windows & .NET Magazine as useful to you as they can be. To help us with our editorial planning, please answer the Windows & .NET Magazine Network Email Newsletter & Web Site Survey, available at the following URL. If you provide your email address at the end of the survey, we'll put your name in a drawing for a Windows & .NET Magazine T-shirt. Thank you! We appreciate your help.
http://www.zoomerang.com/survey.zgi?QN1V072PTHGA5PGS9R9LGR5R

SPONSOR: SECURE MS EXCHANGE ***FREE EMAIL SECURITY WHITE PAPER

Protect MS Exchange from SPAM, VIRUSES, HACKERS and other threats. CipherTrust has INTEGRATED DEFENSES for these email-related threats into a single comprehensive gateway appliance - IronMail. As a stand-alone device, IronMail protects your email infrastructure and messages and secures webmail systems such as Outlook Web Access.

  • PREVENT SPAM

  • STOP ATTACKS from viruses, worms and hackers

  • SECURE DELIVERY

  • Enforce corporate EMAIL POLICY

Request white paper:
http://www.ciphertrust.com/article/Windows_NET_S01.htm

2. SECURITY RISKS
(contributed by Ken Pfeil, [email protected])

  • BUFFER OVERRUN IN IIS 5.0 AND IIS 4.0


eEye Digital Security discovered a buffer-overrun condition in Microsoft Internet Information Services (IIS 5.0) and Internet Information Server (IIS) 4.0 that can lead to remote compromise of the affected system. This vulnerability stems from an unchecked buffer in the Internet Server API (ISAPI) extension that implements the HTR scripting component. Microsoft has released Microsoft Security Bulletin MS02-028 (Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise) to address this vulnerability, which doesn't affect users who don't use HTR. Microsoft recommends that only affected users download and apply the appropriate patch mentioned in the bulletin.
http://www.secadministrator.com/articles/index.cfm?articleid=25587

  • UNCHECKED BUFFER IN MICROSOFT RAS PHONEBOOK


Next Generation Security Software discovered a buffer-overrun condition in Microsoft's RAS phonebook implementation that can compromise the affected system. If an attacker logs on to an affected server and modifies a phonebook entry by using specially malformed data, then makes a connection using this modified phonebook entry, the attacker can run the data as the system's code under LocalSystem security privileges. Microsoft has released Microsoft Security Bulletin MS02-029 (Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code Execution) to address this vulnerability and recommends that affected users download and apply the appropriate patch mentioned in the bulletin.
http://www.secadministrator.com/articles/index.cfm?articleid=25588

  • MULTIPLE VULNERABILITIES IN SQLXML FOR SQL SERVER 2000


Matt Moore discovered two vulnerabilities in XML for Microsoft SQL Server (SQLXML). The first problem is a buffer overrun that lets an attacker execute arbitrary code on the affected system, and the second problem is in a function specifying an XML tag that lets an attacker run script on the user's computer in a higher privilege zone, such as "Intranet" instead of "Internet." Microsoft has released Microsoft Security Bulletin MS02-030 (Unchecked Buffer in SQLXML Could Lead to Code Execution) to address this vulnerability and recommends that affected users download and apply the appropriate patch mentioned in the bulletin.
http://www.secadministrator.com/articles/index.cfm?articleid=25589

  • UNCHECKED BUFFER IN MICROSOFT GOPHER PROTOCOL HANDLER


Jouko Pynnonen discovered a buffer-overrun condition in Microsoft's implementation of the gopher protocol in Microsoft Internet Explorer (IE), Internet Security and Acceleration (ISA) Server 2000, and Proxy Server 2.0 that can lead to remote compromise of the affected system. This vulnerability stems from an unchecked buffer in the code that handles responses from gopher servers. Microsoft has released Microsoft Security Bulletin MS02-027 (Unchecked Buffer in Gopher Protocol Can Run Code of Attacker's Choice) to address this vulnerability. Microsoft is currently developing a patch, but as a workaround, affected users should block the gopher protocol at the perimeter.
http://www.secadministrator.com/articles/index.cfm?articleid=25534

3. ANNOUNCEMENTS
(brought to you by Windows & .NET Magazine and its partners)

  • STRUGGLING WITH IIS AND WEB ADMINISTRATION CONCERNS?


Discover Windows Web Solutions online, the Web site with articles, tips, and more to help you manage and overcome the security, performance, and maintenance concerns Web site administrators deal with every day. Don't miss this article: "15 Tips for Troubleshooting VPN Connections". Check it out!
http://www.windowswebsolutions.com

  • SPECIAL 2-FOR-1 SUBSCRIPTION OFFER!


Windows & .NET Magazine can help you find the right answer to an urgent problem, discover better ways to manage your enterprise, or prepare for an important migration. How can we improve on a resource this good? Subscribe now at our regular rate, and bring on a friend or colleague for free! This is a limited time offer, so act now!
http://www.winnetmag.com/sub.cfm?code=21ap2f21

4. SECURITY ROUNDUP

  • NEWS: WINDOWS USERS THREATENED BY IIS, IE, MSN MESSENGER FLAWS


Microsoft has admitted to three serious new security vulnerabilities, one of which could let attackers seize control of Web sites that use Microsoft Internet Information Services 5.0. IIS 5.0 currently runs more than a third of all Web sites on the Internet and an even larger percent of corporate Web sites. Microsoft has issued a patch for this vulnerability, which affects the IIS versions in Windows 2000 and Windows NT but doesn't affect Windows XP.
http://www.secadministrator.com/articles/index.cfm?articleid=25552

  • NEWS: AKONIX SYSTEMS TO RELEASE SOFTWARE TO PROTECT IM AND P2P TRAFFIC


Akonix Systems announced that it will release its new L7 Gateway, a perimeter security product designed to protect networks against "rogue protocols." The new gateway software intercepts specific protocols, such as Instant Messaging (IM) and file-sharing software, at network borders to enforce company-defined security policies.
http://www.secadministrator.com/articles/index.cfm?articleid=25535

  • FEATURE: TEST YOUR KNOWLEDGE ABOUT COOKIES


Solve this month's Reader Challenge problem from Kathy Ivens, and you might win a prize! The problem involves privacy protection and cookies when using Windows clients with Microsoft Internet Explorer (IE). To read about the contest and this month's problem, be sure to visit our Web site. Submissions must be in by June 21!
http://www.secadministrator.com/articles/index.cfm?articleid=25540

  • FEATURE: THE COST OF IGNORANCE


By now, you should have heard about the Spida (aka Digispid.B) worm, which attacks Microsoft SQL Server. The main difference between this worm and some others (e.g., the Klez virus/worm) is that you can avoid it easily—simple common sense and a little training are all you need to ward off the Spida worm.
http://www.secadministrator.com/articles/index.cfm?articleid=25509

5. HOT RELEASE

  • SPECTRACOM'S NETCLOCK, FOR SECURE NETWORK TIME


Does your network depend on a Time Source that's outside your Firewall? Doesn't your network need an accurate clock source? Think "Time" is FREE over the Internet? Spectracom's NetClock/NTP and White-Paper can help you.
http://www.spectracomcorp.com/netclockntp.html
http://www.spectracomcorp.com/internettimeservers.html

6. SECURITY TOOLKIT

  • VIRUS CENTER


Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
http://www.secadministrator.com/panda

  • FAQ: HOW CAN I CHECK AND SET A VOLUME'S DIRTY STATUS IN WINDOWS XP?


(contributed by John Savill, http://www.windows2000faq.com)

A. The XP version of Fsutil lets you query and set a volume's dirty flag. This flag signals that the volume has experienced a problem and that you must run Chkdsk to identify and fix the problem. For example, shutting down Windows suddenly can sometimes cause the OS to set the dirty flag.

1. To query a volume's current state, at the command prompt, type

fsutil dirty query :

The result will be either

Volume - : is Dirty      Volume - : is NOT Dirty 

2. To set the status of a volume's dirty flag, at the command prompt, type

fsutil dirty set :

Use this command with care: XP won't ask you to confirm this action, and you can't use this command to set the dirty flag's status to clean.

7. NEW AND IMPROVED
(contributed by Judy Drennen, [email protected])

  • SUBMIT TOP PRODUCT IDEAS


Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].

  • SNOOP-PROOF YOUR FILES


WinAbility released Folder Guard Professional 5.4, a Windows security program that you can use to restrict access to files, folders, and other computer resources. When Folder Guard hides a folder, the folder's contents become invisible to all applications including Windows programs such as Windows Explorer, applications such as Microsoft Office, and even MS-DOS programs. Folder Guard runs on Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x and costs $69.95. Contact WinAbility at 720-489-3872 or [email protected].
http://www.winability.com

  • PROTECT PROGRAMS AND FILES


WinGuard Pro announced WinGuard Pro 4.0, a security program that prevents data loss, system changes, and unauthorized application access. WinGuard Pro lets you password protect any of your Windows programs and files and other applications such as the Control Panel. WinGuard Pro runs automatically at system startup and sits in the background monitoring any programs and files opened. The utility runs on Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x and costs $23.95. Contact WinGuard Pro at [email protected] or go to the Web site.
http://www.winguardpro.com

8. HOT THREADS

  • WINDOWS & .NET MAGAZINE ONLINE FORUM


http://www.winnetmag.com/forums

Featured Thread: Can I Force a User to Reauthenticate?
(Two messages in this thread)

Afroze wants to force an already logged-on user to reenter his or her username and password—to reauthenticate the user as a valid Windows NT user. To design a custom program to force this reauthentication, Afroze wants to know about any available functions he might use. To read the response or lend a hand, use the URL below.
http://www.secadministrator.com/forums/thread.cfm?thread_id=106930

9. CONTACT US
Here's how to reach us with your comments and questions:

This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
http://www.secadministrator.com/sub.cfm?code=saei25xxup

Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
http://www.winnetmag.net/email

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like