Security UPDATE, September 18, 2002

Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com

THIS ISSUE SPONSORED BY

Consolidated Security Auditing and Monitoring
http://www.aelita.com/wnet0918

Wireless WP
http://www.ibm.com/e-business/playtowin/n240

(below IN FOCUS)

SPONSOR: CONSOLIDATED SECURITY AUDITING AND MONITORING

HIPAA? Gramm-Leach-Bliley? BS7799/ISO17799? Aelita InTrust(tm) bridges the gap between industry regulations & policies and your IT infrastructure. InTrust consolidates, archives, and analyzes heterogeneous IT audit data and offers numerous reports to assist in documenting compliance. And InTrust's data repositories enable efficient, permanent storage of all event data. Get started with the FREE security assessment tool: Aelita InTrust Audit Advisor!
http://www.aelita.com/wnet0918

September 18, 2002—In this issue:

1. IN FOCUS

2. SECURITY RISKS

3. ANNOUNCEMENTS

4. SECURITY ROUNDUP

5. INSTANT POLL

6. SECURITY TOOLKIT

7. NEW AND IMPROVED

8. HOT THREADS

9. CONTACT US

1. IN FOCUS

(contributed by Mark Joseph Edwards, News Editor,[email protected])

In an email message last week, I received a URL to a Web site on which I saw more than a dozen vulnerabilities in Microsoft products (19 as of September 16). Patches are either not available or offer insufficient protection. The most recent vulnerability was reported on September 9, 2002, and the oldest was reported on June 6, 2000.
http://www.pivx.com/larholm/unpatched

The vulnerabilities include serious problems, such as exposing local files, sniffing Secure Sockets Layer (SSL) connections, installation and execution of arbitrary programs, breaching firewalls, elevation of privileges, and buffer overflows. Why aren't patches available for these problems? The answer is probably manifold.

Given that users reported some of the vulnerabilities last week, we can assume that Microsoft is working on patches to correct them. Other vulnerabilities do have available patches—but not for all versions of a product. For example, regarding two Microsoft Internet Explorer (IE) problems (cssText Local File Reading and DynSrc Local File detection, which relate to reading data from local files and determining whether certain files exist, respectively), patches are available for IE 6.0, but not for IE 5.x.

Microsoft released IE 6.0 some time ago and recently released Service Pack 1 (SP1) for that version (see the first URL below). However, many users still have IE 5.x. Recent reports that show IE's presence on about 94 percent of all desktops also show that 48 percent of those users still have IE 5.x versions of the browser (see the second URL below). Why do we lack patches for serious vulnerabilities in IE 5.x? We could infer that Microsoft wants users to "toe the line" and upgrade to IE 6.0 SP1.
http://www.microsoft.com/windows/ie/default.asp
http://www.upsdell.com/browsernews/stat.htm

According to "InfoWorld," Microsoft Windows Division Senior Vice President Brian Valentine recently made some rather startling statements. At the Windows .NET Server (Win.NET Server) 2003 developer conference, Valentine said, "I'm not proud. We really haven't done everything we could to protect our customers ... Our products just aren't engineered for security ... We realized that we couldn't continue with the way we were building software and expect to deliver secure products ... It's impossible to solve the problem completely, as we solve these problems there are hackers who are going to come up with new ones. There's no end to this."
http://www.infoworld.com/articles/hn/xml/02/09/05/020905hnmssecure.xml

Why would Microsoft admit somewhat apologetically that the company hasn't done all it could do for security? Given the constant barrage of security problems still being discovered, won't the company make significant security changes in its code base? Furthermore, won't Microsoft slow the rush of new products to market faster than we can adapt to the current products? Unfortunately, the answer is—probably not, especially given some of the company's latest technology announcements.

Microsoft recently announced its intention to create a hardware-based platform for security, code-named Palladium. Palladium will offload certain aspects of system security--aspects that have resided inside a user-controlled OS—onto Intel-developed hardware designed to work with Microsoft-sanctioned security technology.

Clearly, Palladium will, in some instances, relieve Microsoft of the burden of writing more-secure software. At the same time, the new security approach will put users in the uncomfortable position of choosing whether they should upgrade every computer and OS to continue "following" Microsoft by adopting Palladium. To help foster Palladium adoption, Microsoft will probably release yet another resource-intensive OS that couldn't possibly run well on users' existing hardware. And if the company also continues to forego releasing security patches for previous software packages, that will prod users even harder.
http://www.secadministrator.com/articles/index.cfm?articleid=26675

I have deep concerns about hardware-based security as the direction of the future. Bruce Schneier expressed the sentiments of many users quite clearly in a recent "Crypto-Gram" newsletter (see the URL below): "There's a lot of good stuff in [Palladium], and a lot I like about it. There's also a lot I don't like, and am scared of. My fear is that [Palladium] will lead us down a road where our computers are no longer our computers, but are instead owned by a variety of factions and companies all looking for a piece of our wallet. To the extent that [Palladium] facilitates that reality, it's bad for society. I don't mind companies selling, renting, or licensing things to me, but the loss of the power, reach, and flexibility of the computer is too great a price to pay."
http://www.counterpane.com/crypto-gram-0208.html#1

Hacking Microsoft products is no longer about the white-hat angle of coaxing Microsoft to write better code and alerting users to vulnerabilities or the black-hat angle of attacking Microsoft. Right now, the more diligently hackers work to find security bugs, the more they support the eventual adoption of Microsoft Palladium, as well as other vendorcentric hardware-based security subsystems that will quickly make their way to market. (For more about Intel and VeriSign's recently announced processor-based authentication, for example, see the news story in this edition of the newsletter or use the URL below.)
http://www.secadministrator.com/articles/index.cfm?articleid=26671

If more severe security problems are discovered and reported--and we can assume they will be—that's fuel for the vendorcentric hardware security platforms of the near future. Conversely, if those security problems go undiscovered or unreported, users remain unknowingly at high risk. With the advent of Palladium, Microsoft benefits either way. But do we? It's a veritable Catch-22.

SPONSOR: WIRELESS WP

Put wireless technologies to work for your organization to build a flexible and more competitive e-business. The IBM white paper, "A Wireless World Awaits: Nine Moves that Mobilize e-business," can help you learn how wireless technology solutions extend your company's reach and help you and your partners work securely while still remaining focused on your core business issues. Also covered are early implementation questions, planning issues, and reasons for getting started now. Visit us online today to download your complimentary copy at http://www.ibm.com/e-business/playtowin/n240

2. SECURITY RISKS

(contributed by Ken Pfeil, [email protected])

Microsoft discovered a vulnerability in its CryptoAPI that can let an attacker use digital certificates to spoof his or her identity. This vulnerability stems from a problem in the APIs that construct and validate certificate chains—they don't check the basic constraints field. The same type of vulnerability (but unrelated to CryptoAPI) also occurs in several products for the Macintosh. Microsoft has released Security Bulletin MS02-050 (Certificate Validation Flaw Could Enable Identity Spoofing) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin. For a detailed explanation of the risks and a link to the patch, be sure to visit our Web site.
http://www.secadministrator.com/articles/index.cfm?articleid=26559

3. ANNOUNCEMENTS

(brought to you by Windows & .NET Magazine and its partners)

Windows & .NET Magazine Network Road Show 2002 is coming this October to New York, Chicago, Denver, and San Francisco! Industry experts Mark Minasi and Paul Thurrott will show you how to shore up your system's security and what desktop security features are planned for Microsoft .NET and beyond. Sponsored by NetIQ, Microsoft, and Trend Micro. Registration is free, but space is limited so sign up now!
http://www.winnetmag.com/seminars/roadshow

Early-bird discount for Windows & .NET Magazine LIVE! expires September 21st! Register now, and you'll also receive access to sessions of concurrently run XML Web Services Connections. Choose from more than 70 sessions and save $1595. Discover why more than half of our attendees choose to attend only LIVE! events, which are chock-full of "been there, done that" knowledge from people who use Microsoft products in the real world. Register now at
https://secure.win2000mag.com/events/windows_register.asp

4. SECURITY ROUNDUP

Jouko Pynnonen of Online Solutions in Finland discovered a series of severe security vulnerabilities in Microsoft's Java implementation. Some of the vulnerabilities let attackers run arbitrary code through Microsoft Internet Explorer (IE) and Microsoft Outlook Express. According to a message posted to the NTBugTraq mailing list on September 9, Pynnonen discovered and reported to Microsoft as many as 10 such vulnerabilities during July and August.
http://www.secadministrator.com/articles/index.cfm?articleid=26623

Two of the privacy groups that exhorted the Federal Trade Commission (FTC) to investigate Microsoft for privacy and security violations in Microsoft .NET Passport are now asking the FTC to reconsider its early August settlement with the software giant. Citing concerns that the agreement doesn't do enough to protect consumers, the Electronic Privacy Information Center (EPIC) and Computer & Communications Industry Association (CCIA) have separately lobbied the FTC to come down harder on Microsoft.
http://www.secadministrator.com/articles/index.cfm?articleid=26617

As Paul Thurrott noted in a Short Take item in the September 13, 2002, edition of WinInfo Daily UPDATE, by the time Microsoft released Windows XP Service Pack 1 (SP1), intruders had already issued a patch that lets users with illegally obtained copies of the OS upgrade to SP1, an ability the service pack was supposed to prevent. Microsoft says, however, that it intended the feature to prevent casual copying only, and that the company knew all along that it couldn't prevent the hacker community from finding a way to upgrade. Users can circumvent the no-upgrade policy by using a Product Key changer program that lets users change XP's Windows Product Activation (WPA) key to a new key that isn't on Microsoft's no-upgrade list.
http://www.wininformant.com/articles/index.cfm?articleid=26625

Intel announced a slew of new products at the annual Intel Developer Forum in San Jose, California, touching off a year of massive upgrades that the company says will further distance it from the competition. Intel plans upgrades and new products in virtually every product category it covers, including processors for every type of hardware from PDAs to the most massively scalable server products in the world.
http://www.secadministrator.com/articles/index.cfm?articleid=26616

In what might become a significant blow to competitors, Intel andVeriSign announced that Intel's upcoming line of mobile processors (code-named Banias) will support VeriSign's digital certificate and Personal Trust Agent (PTA) technology. VeriSign said that by integrating the two technologies, a PC is thereby transformed into a "digital credential that can then be used to perform many e-business functions in the corporate IT environment, such as single sign-on, more secure remote access, and trusted peer-to-peer computing."
http://www.secadministrator.com/articles/index.cfm?articleid=26671

5. INSTANT POLL

The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Has your wireless network been warchalked?" Here are the results (+/- 2 percent) from the 136 votes:

   -  10% Yes   -  51% No   -  38% I'm not sure

The next Instant Poll question is, "Do you think that your organization's network is more secure or less secure than it was a year ago?" Go to the Security Administrator Channel home page and submit your vote for a) More secure, b) Less secure, or c) Not sure.
http://www.secadministrator.com

6. SECURITY TOOLKIT

Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
http://www.secadministrator.com/panda

(contributed by John Savill, http://www.windows2000faq.com)

A. After you install the Win2K SRP1, Win2K considers leading white-space characters (i.e., spaces) in the FTP password to be valid characters and no longer removes them. As a result, if a stored password contains spaces, you must include the spaces when you enter the password. Likewise, if the password doesn't contain spaces, you must ensure that the password you type has no leading spaces.

7. NEW AND IMPROVED

(contributed by Judy Drennen, [email protected])

Anti-Trojan Network released Anti-Trojan 5.5, software to protect your PC from the threat of Trojan horses. Anti-Trojan 5.5 lets users protect their computers by scanning all ports on their PCs, checking for the presence of Trojan horses in the registry, and scanning the contents of the system's hard drives. The software runs on Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x and costs $22 per single license. Contact Anti-Trojan Network at the Web site.
http://www.anti-trojan.net

Array Networks announced Array SP (Security Proxy), a platform to help enterprises defend and police Web services and applications with trusted encryption, authentication, authorization, and accounting. Array SP's rich set of features, intuitive GUI, and Plug and Play (PnP) installation ensures painless Web security. Contact Array Networks at 408-874-2420.
http://www.arraynetworks.net

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].

8. HOT THREADS

http://www.winnetmag.com/forums

Featured Thread: Blocking by Port?
(Three messages in this thread)

A user writes that he has a Windows NT Server 4.0 Service Pack 6a (SP6a) environment with Microsoft Proxy Server 2.0. Users on the network access the Internet through the proxy server. He would like to block access that originates on the network to any sites that don't use port 80 for HTTP. How can he configure proxy server to do this? Can he block this sort of access using his Cisco Systems 1605 router? Read the responses or lend a hand:
http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=46005

9. CONTACT US

Here's how to reach us with your comments and questions:

This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
http://www.secadministrator.com/sub.cfm?code=saei25xxup

Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
http://www.winnetmag.net/email